Wappler 5.3.1
NodeJS
MariaDB
Discovered a weird thing today.
Had a query built using the Query Builder with a condition saying column1
equals
{{x}}
.
When looking at the JSON code, {{x}}
is replaced by :P1
… indicating that it has been parameterized.
Then I changed the condition to column1
IN
{{y}}
, where y is an array.
Now in the JSON code, {{y}}
is no longer parameterized. :P1
is gone… which means the binding will just be parsed like any other binding - which opens the query to SQL Injection.
Is my understanding correct? Or even if JSON does not show the binding as a parameter, it will still be parameterized in run-time?
Also, I don’t know if this a new change, or has been like this since day one.
Another interesting observation is that in custom query builder, until few months ago, IN operator could not be used when its operand value was passed as parameter. But then it started working with some update. So, if my above understanding is correct, regular query builder can use IN conditional binding as a parameter, and current setup is a bug.
Lastly, if this is a bug and will be fixed, please let the community know if its going be a breaking change.
Last updated: