SQL Injections

I am just curious to know how exactly n8n is handling SQL injections.

Eg: Is the POST body sent to webhook sanitized/escapted?
Or are the expressions which are added to SQL query, are they internally sanitized?

In short what preventive measures are in place at the moment.

Hey @MayurVirkar, this depends on how you build your workflow. For example when using the Postgres node to execute a query you could use parameters to prevent SQL injection:


When using expressions to include data from a webhook’s POST body directly in your queries your workflow could be subject to SQL injection on the other hand.

First, I could never get the query parameters to work. Does the above query work for you?

Eg of mine

Never works.

Another one for easy understanding

No idea what I am doing wrong here.

Secondly, What about MySql?

Hi @MayurVirkar, the query parameter would take the key of a field, not the actual value:

The MySQL node doesn’t support parameters yet (so you would need to do sanitization as part of your workflow when running queries). You might however want to raise a feature request for this, seeing how this is a rather useful feature. I’ve also suggested this myself internally a while back.


@MutedJam Can we also update the documentation? Coz many people get confused with this.
Maybe we can just add this image to the documentation itself.

1 Like

Sure, I’ll add this as a suggestion to the documentation backlog!