From 6114ef68b0d28b0fb8e82fd033ad617f444e3ef5 Mon Sep 17 00:00:00 2001
From: Vincent Batts <vbatts@hashbangbash.com>
Date: Fri, 15 Sep 2023 20:31:47 -0400
Subject: [PATCH] express: always use params in SQL

this way it handles the sanitizing and avoids injection

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
---
 express/server.js | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/express/server.js b/express/server.js
index 236ebba..6e3dad2 100644
--- a/express/server.js
+++ b/express/server.js
@@ -51,12 +51,12 @@ try {
     var jsondata = JSON.parse(data);
     animals = jsondata.animals;
     for (const animal of animals) {
-      db.run(
-        `
-      INSERT INTO animals(name)
-      SELECT '${animal}'
-      WHERE NOT EXISTS(SELECT 1 FROM animals WHERE name = '${animal}');
+      db.run(`
+              INSERT INTO animals(name)
+                SELECT ?
+                WHERE NOT EXISTS(SELECT 1 FROM animals WHERE name = ?);
       `,
+        [animal, animal],
         (err) => {
           if (err) {
             console.error(`Error inserting animal ${animal}: `, err.message);
@@ -208,3 +208,5 @@ app.get("/results", async (req, res) => {
 app.listen(port, () => {
   console.log(`Server is running on port ${port}`);
 });
+
+// vim:set sts=2 sw=2 et: