Could anybody tell me how do I escape input values to prevent SQL injection? I have a user authentication app and I need to somehow import some security.
My validation looks like this:
//Validation
req.checkBody('name', 'Name is required').notEmpty();
req.checkBody('email', 'Email is required').notEmpty();
req.checkBody('email', 'Email is not valid').isEmail();
req.checkBody('password', 'Password is required').notEmpty();
req.checkBody('password', 'Password must have at least 6 characters').len(6,20);
req.checkBody('password2', 'Passwords do not match').equals(req.body.password);
And then I INSERT some values as follows:
var stmt = db.prepare("INSERT INTO users ( id, name, email, password, salt) VALUES (NULL, ?, ?, ?, ?)");
stmt.run([ name, hashEmail(email,'salt'), hashPassword(password,'salt'), 'salt'], function(error){ //.....
I have been told this is not really secure way to import values, but as long as I am not really experienced in internet security I would require some help from you.
Regards
As you are already using a parameterized query correctly (instead of constructing a string of SQL mixed with request parameters, you used ? in your query to designate places where parameters will be substituted when the SQL statement is executed), your code shown above is already fine and not vulnerable to SQL injection.
It would only be vulnerable to SQLi if you concatenated those variables with the SQL string itself.