Parametrized

Prerequisites & Requirements

• Basic understanding of how web applications and HTTP requests work
• Familiarity with JavaScript and how Express.js handles query parameters
• Understanding of SQL databases and basic SQL syntax
• General knowledge of web security concepts, especially SQL injection
• Awareness of how MySQL parameterized queries are intended to work
• Ability to inspect and manipulate URL query strings

What will you learn?

• How object injection in query parameters can subvert "safe" parameterized SQL queries
• How the MySQL driver transforms JavaScript objects into SQL expressions
• Why comparing database columns against themselves or mismatching types leads to logic bypasses
• How type coercion in MySQL can turn failed comparisons into true conditions
• Techniques to extract protected data without knowing secret keys
• How subtle driver behavior can introduce SQL injection even in "secure" code
• How to reliably exploit Express.js + mysql/mysql2 object-to-SQL behavior

Tools

• Any modern web browser with developer tools
• cURL, Postman, or a similar tool for crafting custom HTTP requests
• Python (optional) for automated exploitation scripts
• Basic knowledge of Node.js, Express.js, and MySQL
• Burp Suite or any intercepting proxy (optional but useful)