Replace escapeSql with pg built-in escaping #22
In CatalystCode/project-fortis-pipeline#222 we discovered another set of SQL-injection attack vectors for the feature service. This commit fixes potential injection vulnerabilities once and for all by switching all queries to using the postgres built-in parameter interpolation mechanism instead of using string queries.
The changes were validated by calling the following routes which should be roughly representative of the entire functionality space of the featureService:
curl 'localhost:8080/features/name/paris' curl 'localhost:8080/features/name/bogota,paris' curl 'localhost:8080/features/id/wof-85971971' curl 'localhost:8080/features/id/wof-404477281,wof-85971971' curl 'localhost:8080/features/point/40.71/74.0' curl 'localhost:8080/features/bbox/47/5/35/10' curl 'localhost:8080/features/bbox/47/5/35/10?filter_name=Saint&filter_layer=campus'