getVerificationCode testType variable may be vulnerable to sql injection security risk

[whaber]

We should confirm in cloudfunctions hosted code that all input variables are being checked for validity.

When testType is submitted as confirmed' AND '1'='1' -- message returned with INTERNAL . This was the only security test I found that returned this.

This may because invalid input was detected and rejected by the code (good), or it may be that the code did not validate the input and the text was sent to the data store and it was luck that the attack did not work.

[whaber]

A thought: Is this in the right project?