Improve code security - Githubissues

yorknouse / account

Account system to provide login outside of Wordpress for comments and other features

0 stars 0 forks source link

Improve code security #11

Closed alwaysbusy closed 8 years ago

alwaysbusy commented 8 years ago

sqlConnection.query("INSERT INTO" + config.mysqlDatabase + ".users(fname,lname,email,activated,lastLogin) VALUES ('" + req.user.name.givenName + "', '" + req.user.name.familyName + "', '" + req.user.emails[0].value + "', '2', NOW())", function (err, result) {

Potentially unsafe to use values directly, so need to add more logic in to prevent SQL injection. Some points also exist where login flow could be broken.

alwaysbusy commented 8 years ago

Assuming that the security of node.js (www.nodejs.org), any node modules (www.npmjs.com), jQuery (www.jquery.com) and Bootstrap (www.getbootstrap.com) has been taken care of by their respective maintainers.

alwaysbusy commented 8 years ago

packages.txt gives a full list of node modules being used at the time of this review.

alwaysbusy commented 8 years ago

robots.txt disallow fixed in 766b5e37a31aa88f43fc18dd25c3a00258fd668c

alwaysbusy commented 8 years ago

Template security improved in 2038e7303af1139611456ae2885e4fcac09400ef

alwaysbusy commented 8 years ago

SQL security improved in 99f47697efe79b810b2e48e2af3d80c990ef9230