// UNSAFE: Vulnerable to the injection provided const query = "SELECT * FROM articles WHERE topic = '" + userInput + "'"; // SAFE: Parameterized query const query = "SELECT * FROM articles WHERE topic = $1"; const values = [userInput]; db.query(query, values, (err, res) => { // The database treats $1 strictly as data, even if it contains "SELECT PG_SLEEP(5)" }); Use code with caution. Copied to clipboard
: Ensure the database user account used by the application does not have permission to execute administrative functions like pg_sleep() or access system tables like pg_user . 🔍 Understanding the Payload {KEYWORD};SELECT PG_SLEEP(5)--
: Strict allow-listing for expected formats (e.g., ensuring a "keyword" only contains alphanumeric characters). // UNSAFE: Vulnerable to the injection provided const
: Use Modern Object-Relational Mappers (ORMs) like TypeORM or Sequelize , which use parameterized queries by default. : Use Modern Object-Relational Mappers (ORMs) like TypeORM
The payload attempts to force the database to pause, confirming a vulnerability exists if the server's response is delayed. topic: {KEYWORD}
The input provided ( SELECT PG_SLEEP(5)-- ) is a classic payload used to test for vulnerabilities in PostgreSQL databases.
: This is the most effective defense. It separates the SQL command from the data, ensuring input is never executed as code.