lucien/tanuki-s-forum
1
0
Fork 0
generated from lucien/api-template
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: fixed sql injections

Browse source
This commit is contained in:
Lukian 2025-03-25 18:30:52 +01:00
parent 48503a4c9c
commit c34df6609c
3 changed files with 129 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

172
back/libs/mysql.js
View file

@ -12,7 +12,8 @@ function getConnection() {
function getUser(connection, id) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT * FROM users WHERE id = ${id}`,
`SELECT * FROM users WHERE id = ?`,
[id], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
@ -24,23 +25,25 @@ function getUser(connection, id) {
}
function getUserByUsername(connection, username) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT * FROM users WHERE username = '${username}'`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`SELECT * FROM users WHERE username = ?`,
[username], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function addUser(connection, username, password) {
return new Promise((resolve, reject) => {
connection.query(
`INSERT INTO users (username, password) VALUES ('${username}', '${password}')`,
`INSERT INTO users (username, password) VALUES (?, ?)`,
[username, password], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
@ -52,17 +55,23 @@ function addUser(connection, username, password) {
}
function getUserLastMessages(connection, username) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id WHERE username = "${username}" ORDER BY date DESC LIMIT 5`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name
FROM messages
JOIN users ON messages.user_id = users.id
JOIN channels ON messages.channel_id = channels.id
WHERE username = ?
ORDER BY date DESC LIMIT 5`,
[username], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function getChannels(connection) {
@ -82,7 +91,11 @@ function getChannels(connection) {
function getChannel(connection, name) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT channels.id, name, description, owner_id, username AS owner_username FROM channels JOIN users ON channels.owner_id = users.id WHERE name = "${name}"`,
`SELECT channels.id, name, description, owner_id, username AS owner_username
FROM channels
JOIN users ON channels.owner_id = users.id
WHERE name = ?`,
[name], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
@ -94,73 +107,86 @@ function getChannel(connection, name) {
}
function addChannel(connection, name, description, owner_id) {
return new Promise((resolve, reject) => {
connection.query(
`INSERT INTO channels (name, description, owner_id) VALUES ('${name}', '${description}', ${owner_id})`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`INSERT INTO channels (name, description, owner_id) VALUES (?, ?, ?)`,
[name, description, owner_id], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function getMessages(connection, channel_id) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id WHERE channel_id = ${channel_id} ORDER BY date DESC`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name
FROM messages
JOIN users ON messages.user_id = users.id
JOIN channels ON messages.channel_id = channels.id
WHERE channel_id = ?
ORDER BY date DESC`,
[channel_id], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function getLastMessages(connection) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id ORDER BY date DESC LIMIT 5`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name
FROM messages
JOIN users ON messages.user_id = users.id
JOIN channels ON messages.channel_id = channels.id
ORDER BY date DESC LIMIT 5`,
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function addMessage(connection, channel_id, user_id, message) {
return new Promise((resolve, reject) => {
connection.query(
`INSERT INTO messages (channel_id, user_id, content, date) VALUES (${channel_id}, ${user_id}, "${message}", ${Math.floor(Date.now() / 1000)})`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`INSERT INTO messages (channel_id, user_id, content, date) VALUES (?, ?, ?, ?)`,
[channel_id, user_id, message, Math.floor(Date.now() / 1000)], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function deleteMessage(connection, message_id) {
return new Promise((resolve, reject) => {
connection.query(
`DELETE FROM messages WHERE id = ${message_id}`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`DELETE FROM messages WHERE id = ?`,
[message_id], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
module.exports = {