From 9309b069edbff1f782a95d6bd425def9a4a31138 Mon Sep 17 00:00:00 2001 From: Austen Stone Date: Thu, 3 Jul 2025 20:09:29 -0400 Subject: [PATCH] Potential fix for code scanning alert no. 24: Database query built from user-controlled sources Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- model/products.js | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/model/products.js b/model/products.js index 6df3f921..06c76022 100644 --- a/model/products.js +++ b/model/products.js @@ -11,41 +11,31 @@ function list_products() { function getProduct(product_id) { - var q = "SELECT * FROM products WHERE id = '" + product_id + "';"; + var q = "SELECT * FROM products WHERE id = $1;"; - return db.one(q); + return db.one(q, [product_id]); } function search(query) { - var q = "SELECT * FROM products WHERE name ILIKE '%" + query + "%' OR description ILIKE '%" + query + "%';"; + var q = "SELECT * FROM products WHERE name ILIKE $1 OR description ILIKE $1;"; - return db.many(q); + return db.many(q, ['%' + query + '%']); } function purchase(cart) { - var q = "INSERT INTO purchases(mail, product_name, user_name, product_id, address, phone, ship_date, price) VALUES('" + - cart.mail + "', '" + - cart.product_name + "', '" + - cart.username + "', '" + - cart.product_id + "', '" + - cart.address + "', '" + - cart.ship_date + "', '" + - cart.phone + "', '" + - cart.price + - "');"; - - return db.one(q); + var q = "INSERT INTO purchases(mail, product_name, user_name, product_id, address, phone, ship_date, price) VALUES($1, $2, $3, $4, $5, $6, $7, $8);"; + return db.one(q, [cart.mail, cart.product_name, cart.username, cart.product_id, cart.address, cart.phone, cart.ship_date, cart.price]); } function get_purcharsed(username) { - var q = "SELECT * FROM purchases WHERE user_name = '" + username + "';"; + var q = "SELECT * FROM purchases WHERE user_name = $1;"; - return db.many(q); + return db.many(q, [username]); }