I am just curious to know how exactly n8n is handling SQL injections.
Eg: Is the POST body sent to webhook sanitized/escapted?
Or are the expressions which are added to SQL query, are they internally sanitized?
In short what preventive measures are in place at the moment.
Hey @MayurVirkar, this depends on how you build your workflow. For example when using the Postgres node to execute a query you could use parameters to prevent SQL injection:
When using expressions to include data from a webhook’s POST body directly in your queries your workflow could be subject to SQL injection on the other hand.
First, I could never get the query parameters to work. Does the above query work for you?
Eg of mine
Another one for easy understanding
No idea what I am doing wrong here.
Secondly, What about MySql?
Hi @MayurVirkar, the query parameter would take the key of a field, not the actual value:
The MySQL node doesn’t support parameters yet (so you would need to do sanitization as part of your workflow when running queries). You might however want to raise a feature request for this, seeing how this is a rather useful feature. I’ve also suggested this myself internally a while back.
@MutedJam Can we also update the documentation? Coz many people get confused with this.
Maybe we can just add this image to the documentation itself.
Sure, I’ll add this as a suggestion to the documentation backlog!