Previous: , Up: SQL Injection   [Index]

1.1.4 SQL Injection in Action

If preventive measures are not taken, SQL injection attacks can cause many problems. Let’s inject some SQL code. Hitting the RUN button will open a web application. The edit function is vulnerable. Try to exploit it!

Your app can be found at:

  "name": "psql-demo",
  "version": "0.1.0",
  "description": "PSQL demo for Securing Node JS Apps",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "start": "nodemon index.js",
    "start:prod": "node index.js",
    "build": "cd client && npm install && npm run build",
    "client": "npm start --prefix client",
    "dev": "concurrently \"npm run start\" \"npm run client\""
  "author": "Educative",
  "license": "MIT",
  "dependencies": {
    "body-parser": "^1.18.3",
    "cors": "^2.8.5",
    "express": "^4.16.4",
    "concurrently": "^5.3.0",
    "nodemon": "^2.0.4",
    "password-generator": "^2.2.0",
    "pg": "^8.3.3",
    "pg-hstore": "^2.3.3",
    "sequelize": "^6.3.5",
    "http-proxy-middleware": "^1.0.5"
  "devDependencies": {
    "prettier": "^1.18.2"
const express = require("express");
const bodyParser = require("body-parser");
const cors = require("cors");

const app = express();

const routeStudents = require("./src/routes/students");

app.use(bodyParser.urlencoded({ extended: false }));

app.get("/", (req, res) => {
  res.send("Backend for queries app is working!");

app.use("/api/students", routeStudents, (req, res) => res.sendStatus(401));

const port = 3000;

console.log(`listening on ${port}`);