Hipster your SQL!
-
@anonymous234 said in Hipster your SQL!:
To be fair, the syntax looks pretty nice
let template = 'UPDATE foobar SET {{property}} WHERE id = {{id}}' let parameter = {id: 1, property: {foo: 'bar', num: 3.14}} render(template, parameter)Assuming that we're correct that it's performing "escaping", which usually concerns itself with quotes - you've just posted a potentially vulnerable query. Since the parameters you've used aren't quoted (table names and numbers typically aren't), there's no need to use a forbidden character to accomplish SQL injection.
JavaScript's dynamic typing system helps out here, too, because it won't complain at all if you put a string into that number variable (or more accurately: if that variable you think is a number isn't).
-
@Onyx said in Hipster your SQL!:
WHY THE FUCK IS THIS EVEN A THING?
Is it? The project has 1 fork and 1 watch
-
@dkf said in Hipster your SQL!:
I checked the source; I'm not sure if it is doing the right thing or not.
And that, ladies and gentlemen, is both the whole of what is wrong with software in 2016 and the reason why the Singularity will never be a thing.
-
@dse It exists. I give no fucks about how many likes it has, WHY DOES IT EVEN?
-
@dkf said in Hipster your SQL!:
@Onyx said in Hipster your SQL!:
A NodeJS module that does emulated prepares on SQL queries. Using mustache notation. Because why not?
The documentation (such as it is) says that the
{{foobar}}notation is escaped by mysql. Escaped.
It looks like it just provides another notation for node-mysql. And that module has issue reports like true server-side Prepared Statements, with very interesting discussions:
efuquen commented on 22 Feb 2013
So there is event more issues then security with this, which regardless should obviously be the most important reason for implementing this. (..)dresende commented on 22 Feb 2013
I think everyone is convinced but none of us is payed to do it. (..)dresende closed this on 22 Feb 2013
cblage commented on 22 Feb 2013
Why are you closing this issue? You don't think not supporting prepared statements is an issue?felixge reopened this on 7 Mar 2013
And apparently it is still not solved.
-
@Grunnen said in Hipster your SQL!:
@dkf said in Hipster your SQL!:
@Onyx said in Hipster your SQL!:
A NodeJS module that does emulated prepares on SQL queries. Using mustache notation. Because why not?
The documentation (such as it is) says that the
{{foobar}}notation is escaped by mysql. Escaped.It looks like it just provides another notation for node-mysql. And that module has issue reports like true server-side Prepared Statements, with very interesting discussions:
efuquen commented on 22 Feb 2013
So there is event more issues then security with this, which regardless should obviously be the most important reason for implementing this. (..)dresende commented on 22 Feb 2013
I think everyone is convinced but none of us is payed to do it. (..)dresende closed this on 22 Feb 2013
cblage commented on 22 Feb 2013
Why are you closing this issue? You don't think not supporting prepared statements is an issue?felixge reopened this on 7 Mar 2013
And apparently it is still not solved.
That is a perfect line-o-code sample of everything that is wrong with open source everything
-
@Onyx said in Hipster your SQL!:
why the hell would you make another damned layer of abstraction and dependencies
The end goal: abstractions and dependencies all the way down.
-
@Onyx said in Hipster your SQL!:
It exists. I give no fucks about how many likes it has, WHY DOES IT EVEN?
Low internet pointz, hipsters will not likez it.
