express: always use params in SQL

this way it handles the sanitizing and avoids injection

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
This commit is contained in:
Vincent Batts 2023-09-15 20:31:47 -04:00
parent 20e560c55c
commit 6114ef68b0
Signed by: vbatts
GPG key ID: E30EFAA812C6E5ED

View file

@ -51,12 +51,12 @@ try {
var jsondata = JSON.parse(data); var jsondata = JSON.parse(data);
animals = jsondata.animals; animals = jsondata.animals;
for (const animal of animals) { for (const animal of animals) {
db.run( db.run(`
`
INSERT INTO animals(name) INSERT INTO animals(name)
SELECT '${animal}' SELECT ?
WHERE NOT EXISTS(SELECT 1 FROM animals WHERE name = '${animal}'); WHERE NOT EXISTS(SELECT 1 FROM animals WHERE name = ?);
`, `,
[animal, animal],
(err) => { (err) => {
if (err) { if (err) {
console.error(`Error inserting animal ${animal}: `, err.message); console.error(`Error inserting animal ${animal}: `, err.message);
@ -208,3 +208,5 @@ app.get("/results", async (req, res) => {
app.listen(port, () => { app.listen(port, () => {
console.log(`Server is running on port ${port}`); console.log(`Server is running on port ${port}`);
}); });
// vim:set sts=2 sw=2 et: