Security Testing: SQL injection attack possible by posting to login-check. If you post admin@123.com" AND "1"="1" -- as the email field in the post body it will get executed in mysql. you can't enter this data on the login form because there is a requirement for it to be formatted as an email. #38
Problem is that in login-check the email parameter for the SQL is not parametrised
app.post("/login-check", function (req, res) {
var email = sanitiseHtml(req.body.email);
var password = req.body.password;
// just check that the email address exists (password hash checking comes after)
let sqlquery =
'SELECT email, id, password, user_role FROM user_account WHERE email="' +
email.toLowerCase() +
'";';
and this leads to the error - fix is to parametise with ?'s
Problem is that in login-check the email parameter for the SQL is not parametrised app.post("/login-check", function (req, res) { var email = sanitiseHtml(req.body.email); var password = req.body.password; // just check that the email address exists (password hash checking comes after) let sqlquery = 'SELECT email, id, password, user_role FROM user_account WHERE email="' + email.toLowerCase() + '";'; and this leads to the error - fix is to parametise with ?'s