Fix SQL Injection (Legacy & Modern) in Meteor

Meteor apps bridging to SQL (Postgres/MySQL) via drivers like 'pg' or 'knex' are frequently pwned because devs treat SQL like NoSQL. If you are concatenating strings into raw queries within Meteor.methods, your DB is a public playground. Modern SQLi defense in Meteor requires strict type checking and parameterized drivers.

The Vulnerable Pattern

Meteor.methods({
  'fetchUserRecord': function(userInputId) {
    // CRITICAL VULNERABILITY: Raw string interpolation
    const query = "SELECT * FROM profiles WHERE internal_id = '" + userInputId + "'";
    // Attacker sends: "' OR '1'='1"
    return pg.query(query);
  }
});

The Secure Implementation

The vulnerability occurs because the SQL engine interprets the 'userInputId' string as part of the command logic rather than data. By injecting single quotes and boolean logic, an attacker can bypass filters. The secure approach uses 'check' to ensure the input matches the expected schema and 'parameterized queries' ($1 placeholders). This forces the database driver to treat the input as a literal scalar value, neutralizing any embedded SQL commands. In modern Meteor stacks, using a query builder like Knex.js is also recommended as it parameterizes inputs by default.

import { check } from 'meteor/check';
Meteor.methods({
‘fetchUserRecord’: function(userInputId) {
// 1. Validate input type to kill low-effort payloads
check(userInputId, String);
// 2. Use Parameterized Queries (Prepared Statements)
const query = "SELECT * FROM profiles WHERE internal_id = $1";
const values = [userInputId];

return pg.query(query, values);
}
});