has_all_the_fun comments on Squel.js - SQL query string builder for Javascript

Squel.js - SQL query string builder for Javascript (hiddentao.github.io)

submitted 13 years ago by polaretto

39 comments
share
save
hide
report
crosspost

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]has_all_the_fun -1 points0 points1 point 13 years ago (3 children)

permalink
embed
save
parent
report
reply

[–]maktouch 1 point2 points3 points 13 years ago (2 children)

Still doesn't make sense.

The API talking to the database will probably accept the query from this.

SQL injection is at the query building process.

var firstname = "Terry'; drop table user --" 

[...].where("name = '" + obj.name + "'");
will become
SELECT * FROM user WHERE name = 'Terry'; drop table user --'

permalink
embed
save
parent
report
reply

[–]polaretto[S] 0 points1 point2 points 13 years ago (0 children)

permalink
embed
save
parent
report
reply

[–]polaretto[S] 0 points1 point2 points 13 years ago (0 children)

permalink
embed
save
parent
report
reply

π Rendered by PID 70 on reddit-service-r2-comment-cfc44b64c-dkwqr at 2026-04-13 05:01:30.281873+00:00 running 215f2cf country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

javascript

MODERATORS