search

waterthetrees / wtt_server

Water The Trees Postgres/Express/Node.js backend
https://waterthetrees.com
Creative Commons Zero v1.0 Universal
0 stars 3 forks source link

Check queries for prepared statements #136

Open zoobot opened 1 year ago

zoobot commented 1 year ago

Use prepared statements to guard against sql injection. Good call @tzinckgraf, thanks for bringing this up! I assigned you but feel free to unassign yourself if you'd rather have someone else work on it.

TODO for this issue: check queries to make sure they are PreparedStatements

https://vitaly-t.github.io/pg-promise/PreparedStatement.html

In our code prepared statements can be formatted like this. Note, name must be unique.

const query = {
    name: 'find-source',
    text: 'SELECT * FROM sources WHERE id_source_name =  $1',
    values: idSourceName,
  };
zoobot commented 1 year ago

Do we want to break this up per route to make it easier for new people to jump in here and do them since it will require testing the app full stack and checking tests?