Open huzhenjie opened 4 years ago
https://github.com/chenshenhai/koa2-note/blob/c667c4fa4b9cf31acd2b76e29a5056b69581ca65/demo/project/server/models/user-info.js#L23
The code here will case SQL injection attack.
async getExistOne(options ) { let _sql = ` SELECT * from user_info where email="${options.email}" or name="${options.name}" // SQL injection attack limit 1` let result = await dbUtils.query( _sql ) if ( Array.isArray(result) && result.length > 0 ) { result = result[0] } else { result = null } return result }
Suggestion
SELECT * from user_info where email=? or name=? limit 1
https://github.com/chenshenhai/koa2-note/blob/c667c4fa4b9cf31acd2b76e29a5056b69581ca65/demo/project/server/models/user-info.js#L23
The code here will case SQL injection attack.
Suggestion