express: always use params in SQL

this way it handles the sanitizing and avoids injection Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2023-09-15 20:31:47 -04:00 · 2023-09-15 20:31:47 -04:00 · 6114ef68b0
commit 6114ef68b0
parent 20e560c55c
1 changed files with 7 additions and 5 deletions
--- a/express/server.js
+++ b/express/server.js
@ -51,12 +51,12 @@ try {
    var jsondata = JSON.parse(data);
    animals = jsondata.animals;
    for (const animal of animals) {
-      db.run(
-        `
-      INSERT INTO animals(name)
-      SELECT '${animal}'
-      WHERE NOT EXISTS(SELECT 1 FROM animals WHERE name = '${animal}');
+      db.run(`
+              INSERT INTO animals(name)
+                SELECT ?
+                WHERE NOT EXISTS(SELECT 1 FROM animals WHERE name = ?);
      `,
+        [animal, animal],
        (err) => {
          if (err) {
            console.error(`Error inserting animal ${animal}: `, err.message);
@ -208,3 +208,5 @@ app.get("/results", async (req, res) => {
 app.listen(port, () => {
  console.log(`Server is running on port ${port}`);
 });
+
+// vim:set sts=2 sw=2 et: