Sanitize input before querying the database

zehfernandes / wordnote

A simple and elegant notebook to write new words and discover their meanings and synonyms https://wordnote.app

652 stars 37 forks source link

Sanitize input before querying the database #4

Open DAlperin opened 1 year ago

DAlperin commented 1 year ago

I'm not 100% sure but it kind of feels like words aren't being properly escaped in the SQL queries. Putting a 'or 1=1; on a line seems to pretty consistently mess things up and or crash the app for me. I was looking in the Editor.js files and it kind of looks like there is just raw string interpolation happening in the queries but I'm not sure.

Super cool app though :) I really like it so far.

zehfernandes commented 1 year ago

Good catch! You are right a sanitization before query the DB will fix the problem.