hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
35591113c24e8bad733de5a08ddfe8fd2015633c
codeql/javascript/ql/src/Security/CWE-089/examples/SqlInjectionFix2.js

16 lines
463 B
JavaScript
Raw Blame History

const app = require("express")(),
pg = require("pg"),
SqlString = require('sqlstring'),
pool = new pg.Pool(config);
app.get("search", function handler(req, res) {
// GOOD: the category is escaped using mysql.escape
var query1 =
"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" +
SqlString.escape(req.params.category) +
"' ORDER BY PRICE";
pool.query(query1, [], function(err, results) {
// process results
});
});
Reference in New Issue View Git Blame Copy Permalink