Closed alwaysbusy closed 8 years ago
Assuming that the security of node.js (www.nodejs.org), any node modules (www.npmjs.com), jQuery (www.jquery.com) and Bootstrap (www.getbootstrap.com) has been taken care of by their respective maintainers.
packages.txt gives a full list of node modules being used at the time of this review.
robots.txt disallow fixed in 766b5e37a31aa88f43fc18dd25c3a00258fd668c
Template security improved in 2038e7303af1139611456ae2885e4fcac09400ef
SQL security improved in 99f47697efe79b810b2e48e2af3d80c990ef9230
sqlConnection.query("INSERT INTO
" + config.mysqlDatabase + ".
users(
fname,
lname,
email,
activated,
lastLogin) VALUES ('" + req.user.name.givenName + "', '" + req.user.name.familyName + "', '" + req.user.emails[0].value + "', '2', NOW())", function (err, result) {
Potentially unsafe to use values directly, so need to add more logic in to prevent SQL injection. Some points also exist where login flow could be broken.