Storing permissions in an SQLite database
Opening
Hi, this is part nine of an ongoing series where I'm learning to code, the ...
For further actions, you may consider blocking this person and/or reporting abuse
This is such a sweet spot for SQL injection!
If you would pass a name, such as:
hax0r"OR"1"="1
you would end up with the following query:That could become a big problem.
So I'd need some sort of validation?
I think in this instance they'd just get
false
as the array is never passed back but is compared to the password string, though, I see your point stands.In this case prevalidation or filtering of user input is not a good idea, since you cannot know the wide range of quirks and exploits to guard against and you will make a mistake. It's better not having to worry about the effectiveness of an attack like that. There's a solution for that. Look into "parameterized" or "prepared" statements. Instead of baking user input right into your query string you use placeholders instead (pseudo code):
...which are safely populated by calling a setter method on the prepared statement:
That's just pseudo code for presenting the idea. You need to look up how this is done with your library or framework
Thank you, I've started using sqlite3 which has prepared statements built in 😀
You were very helpful
github.com/ignis-pwa/permissions_h...
Thomas has summed it up quite nicely.
Maybe this exact query wouldn't leak your data. I really wanted to point out that these kind of queries are potentially dangerous. 😉👍
I assume you need a Promise because you are initialising a connection to the database or something similar. In that case, I would just have a setup function for your app that would run after the connection is established and inject the connection to whatever object needs it.
This is an example of what I mean.
If you want to see it in the real world, I initialise an express server using this method here.
That being said, since the queries to the database are asynchronous and will return a Promise anyway, it doesn't make a big difference. I think that waiting for the connection to the database to be resolved and then initialise your application is cleaner and easier in the long run, but that's just my personal preference.
Is that better than having an init function with the class?
It's hard to say what is objectively better without being familiar with your code. I don't even know why you need a class at all if all it's doing is retrieving a user and their password from the database.
I like my approach because I can treat the connection to the database as a synchronous value in my entire application, which means less asynchronous code. Any code that has access to the connection, can use it as a regular object, no need to await for anything in case it hasn't been initialised.
With your approach, any function that queries the database needs to check if the connection object exists, and if it doesn't, call the function that creates it, and wait for the promise to resolve. If you only query the database in one place, it's fine, but I can imagine it becoming harder the more different queries you need to do against the database.
Then again, I might have entirely misunderstood your code.
I was only using a class as a place to store lots of functions. I guess it makes sense to have a bunch of functions that you pass the database to as an argument.
Thank you 🙂
Hey Andrew, completely unrelated to your question but I just noticed it on this post as well:
How do you get the series buttons at the top and bottom? Is that automatic or did you add them manually?
It was a new feature added a couple of weeks ago 🙂
dev.to/ben/changelog-create-series...
$username = 'myName" OR "1';