If I have a route in Express with route parameters which are used to query my database, do I need to sanitize this parameter before using it?
What you do and don't need to sanitize is entirely dependent upon what you're doing with it.
The content in a route parameter comes entirely from the user so it can be anything that is allowed in a URL and matches your route parameter. That means there are possibilities that something harmful could be injected within that. But, again whether harm is actually possible or not, depends on the exact code you're using. If you were injecting this user content into a SQL statement, then there are all sorts of bad things it could do. If you were just using it as a programmable query argument in a specific database API, there may be no harm.
So, there is no general purpose answer that applies to all possible uses of the data. It depends on the exact code you're using it in.
If in doubt, sanitize and validate the user input before using it.
Related
I'm new in API developement and I wanted to know what is the best choice to create pagination :
GET resquest with query params (sort, limit, etc)
POST request with params in the body (sort, limit, etc)
I was more on the GET but my coworkers thinks POST is a better choice, so I just wanted your opinion.
GET would be the usual choice.
General purpose components will understand that the semantics of GET are safe, which means they are also idempotent. If a GET request receives no response, you can automatically retry it without any concerns about loss of property.
Furthermore, if all of the information you need to identify the resource is included in the URI, then you can bookmark the URI, or paste it into an email, or link to it in a document, and it will all "just work".
Also, using GET -- with all of the relevant details encoded into the resource identifier -- means that the response can be cached and re-used. The constraints on caching POST requests mean that you can't capture the information in the request body.
At some point in the future, HTTPWG will register a new HTTP method to cover the safe method with a body case, which may change some of the answers.
In the meantime, it is okay to use GET.
GET is the recommended way to do this, because the answer can be cached and the goal is reading not writing. You can use the query string or range headers for pagination. The exact solution depends on your needs. There are a few standard query languages for this, like OData, but they are overkill for a simple API. Building a custom solution on top of URI templates might be a better choice, or there are non-standard query languages too like RQL, which can be completely or partially implemented in your solution.
I'm trying to encrypt query parameters in an Angular 5/6 project. We have some sensitive data in the URL which we might need to encrypt or hash so an outside user won't know.
Is there a way to do that or worth doing? For example, would that be really safe, or maybe have a big impact on performance?
I've seen some routing configured as /edit/:id/:name, but I'm confused as to whether it's really safe to expose the ID or other parameters in the URL.
Like #jonrsharpe suggest, we can use eventEmiiter or subject through service to pass data as an object in between component so no need to work on hash query parameter in routing.
I have a website, let's say that my site is example.com.
I would like to show a post if anyone tries to sql injection it. For example if the link is example.com/?portofolio=1 and they type example.com/?portofolio=1' then I would like to show a post/page (refer them to another post) instead of database information (if they get any). Everytime they type ' at the end of every url.
If you are asking how to show that page - that depends on the language and/or framework you are using. This can usually be done with a redirect, though some frameworks allow rendering a different page for the same URL.
If you are asking how to detect SQL injections - that depends on how your code works. Different codes will have different ways to inject SQL. If you are going to go through the trouble of figuring out all the SQL vulnerabilities in your code, and code some rules to try and catch them - wouldn't it be better to remove those vulnerabilities? It'll be easier too - usually the answer is to use SQL parameters instead of concatenating strings.
I was discussing RESTful APIs with a friend, and he asked why it uses two base URLs for collections and items (/dogs and /dogs/1234) instead of a single URL with query parameters like everything else (/dogs and /dogs?id=1234).
After some further discussion, I realized I couldn't come up with an argument that wasn't based around aesthetic reasons (meaning the URL looks better as /dogs/1234 instead of /dogs?id=1234).
You could have one base URL that handles both collections and single items for a resource, and it does seem strange that there is this one special case where you use a non-query parameter (/1234 instead of ?id=1234) to reference a resource.
Which leads me to ask, is there a specific, non-aestetic reason to use two base URLs for a resource instead of one in a RESTful API?
One thing I considered was that nested resources like /dogs/1/fleas/10 seems awkward, but still doable with a single base URL (/dogs?id=1&flea_id=10)
URI design is only one very small part of a REST API, although you would think it is the only thing about being REST-ful given the amount of time spent talking about it. Authentication, content types, response codes, method types (GET, POST, PUT, DELETE, OPTIONS), discover-ability and caching strategies are much more important things to consider.
However, when thinking about whether or not query strings are appropriate, first make a determination of whether or not they can accurately represent a resource's state without changing it. Can the same resource (your dog) be identified at that location using that URI (presumably always)? Will that dog change in some way because you chose a query string with ID instead of representing the ID in the path? No, it won't, which is why a query string in this case is just fine. As a matter of fact either of those will do.
What is the best way to avoid SOQL Injection when querying salesforce through the APIs?
The two main APIs I am interested in are the SOAP and REST APIs.
My current methods are to never use any input from the user (which is impractical if they are searching for a Company Name) or encoding certain characters within the string.
However I saw that there was parameterisation within the APEX, so i was wondering if there was a similar way of doing it through the APIs.
I think all you really need to do is to make sure that the input, in this case the company name, is escaped properly. I am not aware of a parameterized way of building a query object for either of the API's.
However, if you needed to you could expose a custom web service method from within Salesforce so that you can pass the value in. Then from within the Salesforce Apex Code language you can parameterize the value using a syntax similar to below:
public Account[] queryCompany(string companyName) {
return [SELECT Id FROM Account WHERE Name = :companyName];
}
Philosophical rant
What are you after really :)
If your application should work same way accessed from different sources (Salesforce UI, PHP connector, some mobile applications) then it probably makes most sense to think about Apex like some stored procedures that will be reused. This means you'd be passing safe parameters to them.
If you plan to hand-craft queries & not rely on Apex too hard - maybe what you need is something like database.com or other cloud-based DB solutions?
Actual answer
I'm not aware of an out of the box way to pass separately the query command and separately the params to it (like bind variables/prepared statements) through APIs. Both REST and SOAP API give you what's essentially Database.query() within Apex. Sure, there are some differences like retrieve() command or queryMore() but that's the baseline.
What you could do is to either expose some commonly used searches with methods similar to what John proposed (bonus points for extra performance - they're precompiled) or build something generic?
List<sObject> runQuery(String query, List<List<String>> params){...}
If the runQuery will contain bind variables like params[0] it should work. Looks crazy and I didn't test it though ;) I'd say that bind variables are the best method. Alternative would be to escape user's input but SQL and XSS injections can become amazingly creative. Check Examples of XSS that I can use to test my page input? for a start (yes, I'm aware you asked about SOQL only).
As for actual SOQL injection: http://wiki.developerforce.com/page/Secure_Coding_SQL_Injection. Since "worst that can happen" is that users will search for more than they were supposed to (no way to convert SELECT into INSERT) escaping should be safe-ish...