Sort Column Injection

Medium+100 XPA03:2021 InjectionCWE-89

SQL InjectionColumn Injection

Scenario

An orders API lets clients choose how results are sorted by passing a column name as a query parameter. The handler inserts this column name directly into an ORDER BY clause.

Unlike WHERE clause injection, column names cannot be parameterized in most databases — so the fix is an allowlist, not a placeholder.

Without a check, an attacker can inject arbitrary SQL after the column name: created_at; DROP TABLE orders;-- or use a subquery to exfiltrate data.

Column injection is a lesser-known but equally dangerous SQL injection variant. Because developers know they can't parameterize column names, they often skip validation entirely — giving attackers direct control over query structure.

Your Tasks

Fix buildSortedQuery to validate column against an allowlist of ["created_at", "total", "status"].
Throw an error with the message 'Invalid sort column' if the column is not in the allowlist.
Return { sql: "SELECT * FROM orders ORDER BY " + column, params: [] } for valid columns.

Examples

Example 1 — Injection attempt rejected

buildSortedQuery('created_at; DROP TABLE orders;--')
// → throws Error('Invalid sort column')

Example 2 — Valid column accepted

buildSortedQuery('total')
// → { sql: 'SELECT * FROM orders ORDER BY total', params: [] }

Constraints

›Only edit the function body — do not change the function signature.
›Throw exactly 'Invalid sort column' for disallowed column names.
›Valid columns: created_at, total, status.
›No external packages.

Hint

References

CWE-89: Improper Neutralization of Special Elements used in an SQL Command OWASP SQL Injection Prevention Cheat Sheet — Column and Table Names OWASP Top 10 2021 — A03:2021 Injection

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run