express: always use params in SQL
this way it handles the sanitizing and avoids injection Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
This commit is contained in:
parent
20e560c55c
commit
6114ef68b0
1 changed files with 7 additions and 5 deletions
|
@ -51,12 +51,12 @@ try {
|
||||||
var jsondata = JSON.parse(data);
|
var jsondata = JSON.parse(data);
|
||||||
animals = jsondata.animals;
|
animals = jsondata.animals;
|
||||||
for (const animal of animals) {
|
for (const animal of animals) {
|
||||||
db.run(
|
db.run(`
|
||||||
`
|
INSERT INTO animals(name)
|
||||||
INSERT INTO animals(name)
|
SELECT ?
|
||||||
SELECT '${animal}'
|
WHERE NOT EXISTS(SELECT 1 FROM animals WHERE name = ?);
|
||||||
WHERE NOT EXISTS(SELECT 1 FROM animals WHERE name = '${animal}');
|
|
||||||
`,
|
`,
|
||||||
|
[animal, animal],
|
||||||
(err) => {
|
(err) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
console.error(`Error inserting animal ${animal}: `, err.message);
|
console.error(`Error inserting animal ${animal}: `, err.message);
|
||||||
|
@ -208,3 +208,5 @@ app.get("/results", async (req, res) => {
|
||||||
app.listen(port, () => {
|
app.listen(port, () => {
|
||||||
console.log(`Server is running on port ${port}`);
|
console.log(`Server is running on port ${port}`);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// vim:set sts=2 sw=2 et:
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue