squel@4.2.4 vulnerabilities

SQL query string builder

  • latest version

    5.13.0

  • first published

    12 years ago

  • latest version published

    5 years ago

  • deprecated

    Package is deprecated

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the squel package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    SQL Injection

    squel is a SQL query string builder.

    Affected versions of this package are vulnerable to SQL Injection. The package does not properly escape user provided input when provided using the setFields method. This could lead to sql injection if the query was then executed.

    Proof of concept demonstrating the injection of a single quote into a generated sql statement from user provided input.

    > console.log(squel.insert().into('buh').setFields({foo: "bar'baz"}).toString());
    INSERT INTO buh (foo) VALUES ('bar\'baz')
    

    How to fix SQL Injection?

    There is no fix version for squel.

    *