https://supabase.com/ logo
Join Discord
Powered by
How would one prevent injection from methods like ...
# javascript
d
How would one prevent injection from methods like 
.or()
?
s
Hm, you mean you think it's possible to do SQL injection through the javascript library?
d
Not really SQL injection, but just normal injection using template literals in JS. An example of injection would be something like this:
Copy code
js
const userInput = "my-own-username.id,eq,somone-else";
const { data } = await supabase
  .from("users")
  .select()
  .or(`username,eq,${userInput}`);
Which would mean the 
or
value will become 
username,eq,my-own-username.id,eq,someone-else
. However, filters like 
.eq()
are safe because they can't "escape" their parameter.
I could obviously write my own function to escape 
,
and 
.
, but I'm wondering if there are built-in functions and alternatives
s
> Which would mean the or value will become username,eq,my-own-username.id,eq,someone-else Ah, but that's why you design your RLS policies first right? So a user can only see a subset of the data no matter the query he does.
d
It would still be kind of weird if they have a 
.
or 
,
in the value. Speaking of that, how would you escape those characters? Also, I'm using this on a server, which means I'm using the private key which bypasses RLS.
s
In that case you should be escaping that data if you are using the server with the secret key
Btw you can use RLS while using Supabase on the server side as long as you are not using the secret key
d
> you should be escaping that data But how?
s
Try double quoting the eq value like
Copy code
js
const { data } = await supabase
  .from("users")
  .select()
  .or(`username.eq."${userInput}"`);
d
But that would mean they can use 
"
to escape out of there
s
Yes, in that case you'd have to use 
\"
d
So something like 
\\"
in js?
s
Yup
d
Alright, thanks for the help
PreviousNext
Powered by