lucien/tanuki-s-forum
1
0
Fork 0
generated from lucien/api-template
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: fixed sql injections

Browse source
This commit is contained in:
Lukian 2025-03-25 18:30:52 +01:00
parent 48503a4c9c
commit c34df6609c
3 changed files with 129 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

20
back/api/auth.js
View file

@ -7,6 +7,11 @@ const router = express.Router();
router.post('/login', async (req, res) => {
const { username, password } = req.body;
if (!username || !password) {
return res.status(400).send({ error: 'Invalid username or password' });
}
const connection = await getConnection();
const user = await getUserByUsername(connection, username);
connection.end();
@ -25,6 +30,11 @@ router.post('/register', async (req, res) => {
const { username, password } = req.body;
const connection = await getConnection();
if (!username || !password) {
connection.end();
return res.status(400).send({ error: 'Invalid username or password' });
}
const user = await getUserByUsername(connection, username);
if (user[0]) {
connection.end();
@ -44,7 +54,17 @@ router.post('/register', async (req, res) => {
router.post('/me', async (req, res) => {
const { token } = req.body;
if (!token) {
return res.status(400).send({ error: 'Invalid token' });
}
const decoded = jwt.verify(token, process.env.JWT_SECRET);
if (!decoded.id) {
return res.status(400).send({ error: 'Invalid token' });
}
const connection = await getConnection();
const users = await getUser(connection, decoded.id);
connection.end();

10
back/api/channels.js
View file

@ -62,6 +62,11 @@ router.post('/:name/messages/send', async (req, res) => {
router.post('/:name/messages/delete', async (req, res) => {
const { token, message_id } = req.body;
const name = req.params.name;
if (!message_id || !token) {
return res.status(400).send({ error: 'Missing parameters' });
}
const connection = await getConnection();
const decoded = jwt.verify(token, process.env.JWT_SECRET);
@ -89,6 +94,11 @@ router.post('/:name/messages/delete', async (req, res) => {
router.post('/add', async (req, res) => {
const { name, description, token } = req.body;
if (!name || !description || !token) {
return res.status(400).send({ error: 'Missing parameters' });
}
const connection = await getConnection();
const decoded = jwt.verify(token, process.env.JWT_SECRET);

172
back/libs/mysql.js
View file

@ -12,7 +12,8 @@ function getConnection() {
function getUser(connection, id) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT * FROM users WHERE id = ${id}`,
`SELECT * FROM users WHERE id = ?`,
[id], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
@ -24,23 +25,25 @@ function getUser(connection, id) {
}
function getUserByUsername(connection, username) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT * FROM users WHERE username = '${username}'`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`SELECT * FROM users WHERE username = ?`,
[username], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function addUser(connection, username, password) {
return new Promise((resolve, reject) => {
connection.query(
`INSERT INTO users (username, password) VALUES ('${username}', '${password}')`,
`INSERT INTO users (username, password) VALUES (?, ?)`,
[username, password], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
@ -52,17 +55,23 @@ function addUser(connection, username, password) {
}
function getUserLastMessages(connection, username) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id WHERE username = "${username}" ORDER BY date DESC LIMIT 5`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name
FROM messages
JOIN users ON messages.user_id = users.id
JOIN channels ON messages.channel_id = channels.id
WHERE username = ?
ORDER BY date DESC LIMIT 5`,
[username], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function getChannels(connection) {
@ -82,7 +91,11 @@ function getChannels(connection) {
function getChannel(connection, name) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT channels.id, name, description, owner_id, username AS owner_username FROM channels JOIN users ON channels.owner_id = users.id WHERE name = "${name}"`,
`SELECT channels.id, name, description, owner_id, username AS owner_username
FROM channels
JOIN users ON channels.owner_id = users.id
WHERE name = ?`,
[name], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
@ -94,73 +107,86 @@ function getChannel(connection, name) {
}
function addChannel(connection, name, description, owner_id) {
return new Promise((resolve, reject) => {
connection.query(
`INSERT INTO channels (name, description, owner_id) VALUES ('${name}', '${description}', ${owner_id})`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`INSERT INTO channels (name, description, owner_id) VALUES (?, ?, ?)`,
[name, description, owner_id], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function getMessages(connection, channel_id) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id WHERE channel_id = ${channel_id} ORDER BY date DESC`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name
FROM messages
JOIN users ON messages.user_id = users.id
JOIN channels ON messages.channel_id = channels.id
WHERE channel_id = ?
ORDER BY date DESC`,
[channel_id], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function getLastMessages(connection) {
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id ORDER BY date DESC LIMIT 5`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`SELECT messages.id, user_id, username, content, date, channels.name AS channel_name
FROM messages
JOIN users ON messages.user_id = users.id
JOIN channels ON messages.channel_id = channels.id
ORDER BY date DESC LIMIT 5`,
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function addMessage(connection, channel_id, user_id, message) {
return new Promise((resolve, reject) => {
connection.query(
`INSERT INTO messages (channel_id, user_id, content, date) VALUES (${channel_id}, ${user_id}, "${message}", ${Math.floor(Date.now() / 1000)})`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`INSERT INTO messages (channel_id, user_id, content, date) VALUES (?, ?, ?, ?)`,
[channel_id, user_id, message, Math.floor(Date.now() / 1000)], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
function deleteMessage(connection, message_id) {
return new Promise((resolve, reject) => {
connection.query(
`DELETE FROM messages WHERE id = ${message_id}`,
(error, result) => {
if (error) {
reject(new Error(error));
}
resolve(result);
return new Promise((resolve, reject) => {
connection.query(
`DELETE FROM messages WHERE id = ?`,
[message_id], // Use parameterized query
(error, result) => {
if (error) {
reject(new Error(error));
}
);
});
resolve(result);
}
);
});
}
module.exports = {