cannot use backtick when using nodejs 7.3.0

Question

I\'m trying to run a simple website, and encountered an following backtick error

  `INSERT INTO questions(qid, uid, question, difficulty, cid) VALUES(${qid},         


        

Answer 1

SQL Injection Alert

Your entire code is a one big SQL injection vulnerability waiting be exploited. It's pretty rare to have exploitable SQL injection vulnerability this days but here you have it in every parameter.

Never do this

connection.query(
    `INSERT INTO questionInfo(qid) VALUES(${qid})`,
    err => {
        // ...
    }
);

or:

connection.query(
    'INSERT INTO questionInfo(qid) VALUES(' + qid + ')',
    err => {
        // ...
    }
);

Always do this

connection.query(
    'INSERT INTO questionInfo(qid) VALUES(?)',
    qid,
    err => {
        // ...
    }
);

Your problem

Looking at your problem it seems that either you have unbalanced backticks or you found a bug in Node. It's hard to tell anything more because instead of posting a minimal example that reproduces your problem, you posted an incomplete part of your route handler that cannot be even run without the parts that you removed.

But you should be grateful that you got the problem with backticks because without it you would never even know how insecure your code is. I can't even remember when I last saw a code with SQL injection vulnerability. It's been years since I last referred someone to this comic strip:

Please read:

• https://en.wikipedia.org/wiki/SQL_injection
• http://www.beyondsecurity.com/about-sql-injection.html
• http://projects.webappsec.org/w/page/13246963/SQL%20Injection
• http://bobby-tables.com/

And remember to never use backticks to insert unsanitized data to any string, especially SQL.