Closed aldrichdev closed 8 months ago
vercel[bot]
commented
8 months ago The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Updated (UTC) |
|---|---|---|---|
| neatf2p-nextjs | ✅ Ready (Inspect) | Visit Preview | Mar 5, 2024 6:34am |
netlify[bot]
commented
8 months ago | Name | Link |
|---|---|
| Latest commit | 51132fe11cba997d60fe2511072c098aae3abf4c |
| Latest deploy log | https://app.netlify.com/sites/precious-kulfi-215718/deploys/65e6bce969bc86000880440b |
| Deploy Preview | https://deploy-preview-84--precious-kulfi-215718.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
aldrichdev
commented
8 months ago Tested the risky updateWebsiteUserPassword call locally, with SQL injection code in the userId body param. It does not work, likely due to a syntax issue, since each parameter is processed separately and there are unclosed single quotes.
What's Changed
?) usage to all SQL queries that involve request variables (or converted strings that are guaranteed to be numbers tonumber) to protect against SQL injectionNEXT_PUBLIC_API_SECRETas it did not workcleanInputStringminor refactors as neededHow Tested
/api/getUser?user=; SELECT * FROM users;into Postman and noticed I always get[]back. Same applies for all other API calls that use request variables. Even tested withupdateWebsiteUserPasswordwith SQL injection code and it errors.Notes
getUsernow calls a stored procedure. Due to this, the result had to change toresponse?.data?.[0].submitNewsPostno longer needs to replace apostrophes with\\'since thealt,titleandbodyare no longer part of the query itself. This madecleanInputStringunneeded (in fact, it produced the wrong result), so I removed its usage and the function itself since nothing else used it.