hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

changes based on review

Browse Source
This commit is contained in:
erik-krogh
2023-06-01 17:24:44 +02:00
parent 1e08105863
commit 9aeba4f31e
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/src/Security/CWE-089/SqlInjection.inc.qhelp
View File

@@ -40,7 +40,7 @@ an HTTP request handler in a web application, whose parameter
<p>
The handler constructs constructs an SQL query string from user input
and executes it as a database query using the <code>pg</code> library.
THe user input may contain quote characters, so this code is vulnerable
The user input may contain quote characters, so this code is vulnerable
to a SQL injection attack.
</p>

2
javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix.js
View File

@@ -5,7 +5,7 @@ const app = require("express")(),
app.get("search", function handler(req, res) {
// GOOD: use parameters
var query2 =
"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1" + " ORDER BY PRICE";
"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE";
pool.query(query2, [req.params.category], function(err, results) {
// process results
});