Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added protection from sql injection and dubug flag
  • Loading branch information
Seth Jackson committed Dec 10, 2014
1 parent e41ab4b commit b4bc1a3
Showing 1 changed file with 94 additions and 47 deletions.
141 changes: 94 additions & 47 deletions databaseAccessFunctions.js
Expand Up @@ -20,69 +20,79 @@ function hashPassword(password)
return hash;
}

function selectAdult(username, connection)
function insertAdult(firstName, lastName, username, password, packNumber,
leaderType, rankType, phoneNumber, connection)
{
var strQuery = "SELECT * FROM adult WHERE username= '" +connection.escape(username)+"'";
var temp= selectAdult(username, connection);

if(temp.databaseObject.adult_id<1)
{
return temp;
}
var strQuery = "INSERT INTO adult VALUES('"+
connection.escape(firstName) +"', '"+
connection.escape(lastName) +"', '"+
connection.escape(username) +"', '"+
connection.escape(hashPassword(password)) +"', '"+
connection.escape(packNumber) +"', '"+
connection.escape(leaderType) +"', '"+
connection.escape(rankType) +"', '"+
connection.escape(phoneNumber) +"', 'NULL')";

connection.query( strQuery, function(err, rows)
{if(err) {
throw err;
}else{
temp= rows[0];
temp.password="";
temp= new Adult(row[0]);
if(debug)
{console.log("SelectAdult \n"+rows[0]+"\n");}
return temp;
{console.log("insertAdult \n"+rows[0]+"\n");}

return addScoutsToParent(temp);
}
});
}

function validateAdult(username, password, connection)
function selectAdult(username, connection)
{
var strQuery = "SELECT * FROM adult WHERE username= '" +connection.escape(username)+"'" +"AND password= '"
+ hashPassword(password)+"'";
var strQuery = "SELECT * FROM adult WHERE username= '" +connection.escape(username)+"'";

connection.query( strQuery, function(err, rows)
{if(err) {
throw err;
}else{
temp= rows[0];
temp.password="";

if(debug)
{console.log("validateAdult \n"+rows[0]+"\n");}
{console.log("SelectAdult \n"+rows[0]+"\n");}

return temp;
}
});
}

function insertAdult(firstName, lastName, username, password, packNumber,
leaderType, rankType, phoneNumber, connection)
function validateAdult(username, password, connection)
{
var temp= selectAdult(username, connection);
var strQuery = "SELECT * FROM adult WHERE username= '" +
connection.escape(username)+"'" +"AND password= '" +
connection.escape(hashPassword(password))+"'";

if(temp.databaseObject.adult_id<1)
{
return temp;
}
var strQuery = "INSERT INTO adult VALUES('"+firstName+"', '"+lastName+"', '"+
username + "', '" +hashPassword(password) + "', '" + packNumber+"', '"+
leaderType +"', '"+ rankType+"', '"+phoneNumber+ "', 'NULL')";
connection.query( strQuery, function(err, rows)
{if(err) {
throw err;
}else{
temp= new Adult(row[0]);
temp= rows[0];
temp.password="";

if(debug)
{console.log("insertAdult \n"+rows[0]+"\n");}
return addScoutsToParent(temp);
{console.log("validateAdult \n"+rows[0]+"\n");}

return temp;
}
});
}



function updateAdult(firstName, lastName, username, password, packNumber,
leaderType, rankType, phoneNumber,adultID, connection)
{
Expand All @@ -94,26 +104,37 @@ function updateAdult(firstName, lastName, username, password, packNumber,
leaderType, rankType, phoneNumber,-1);
return temp;
}
var strQuery = "UPDATE adult SET first_name="+firstName+", last_name="+lastName+", username="+
username + ", password=" +hashPassword(password) + ", pack_number=" + packNumber+", leader_type="+
leaderType +", rank_type="+ rankType+", phone_number="+phoneNumber+ "WHERE adult_id="+id;
var strQuery = "UPDATE adult SET "+
"first_name=" +connection.escape(firstName) +
", last_name=" +connection.escape(lastName) +
", username=" +connection.escape(username) +
", password=" +connection.escape(hashPassword(password))+
", pack_number=" +connection.escape(packNumber) +
", leader_type=" +connection.escape(leaderType) +
", rank_type=" +connection.escape(rankType) +
", phone_number="+connection.escape(phoneNumber) +
"WHERE adult_id="+connection.escape(id);
connection.query( strQuery, function(err, rows)
{if(err) {
throw err;
}else{
temp= new Adult(row[0]);
if(debug)
{console.log("UpdateAdult \n"+rows[0]+"\n");}

return addScoutsToParent(temp);
}
});
}

function insertAchievement(name, description, categoryID, numElectives, connection)
{
var strQuery = "INSERT INTO achievement VALUES('"+name+"', '" + description + "', '" + categoryID
+"', '"+ numElectives+ "', 'NULL')";
var strQuery = "INSERT INTO achievement VALUES('"+
connection.escape(name) +"', '"+
connection.escape(description) +"', '"+
connection.escape(categoryID) +"', '"+
connection.escape(numElectives) +"', 'NULL')";

connection.query( strQuery, function(err, rows)
{if(err) {
throw err;
Expand All @@ -127,8 +148,12 @@ function insertAchievement(name, description, categoryID, numElectives, connecti

function insertCategory(name, description, rankID, numAchievments, connection)
{
var strQuery = "INSERT INTO category VALUES('"+name+"', '" + description + "', '"
+ rankID+"', '"+numAchievments+ "', 'NULL')";
var strQuery = "INSERT INTO category VALUES('"+
connection.escape(name) +"', '"+
connection.escape(description) +"', '"+
connection.escape(rankID) +"', '"+
connection.escape(numAchievments) +"', 'NULL')";

connection.query( strQuery, function(err, rows)
{if(err) {
throw err;
Expand All @@ -142,7 +167,9 @@ function insertCategory(name, description, rankID, numAchievments, connection)

function insertRank(name, description, connection)
{
var strQuery = "INSERT INTO rank VALUES('"+name+"', '" + description + "', 'NULL')";
var strQuery = "INSERT INTO rank VALUES('"+
connection.escape(name) +"', '"+
connection.escape(description) +"', 'NULL')";

connection.query( strQuery, function(err, rows)
{if(err) {
Expand All @@ -158,8 +185,11 @@ function insertRank(name, description, connection)
function insertRecord(recordRankType, dateDone,requirementID,
scoutID, connection)
{
var strQuery = "INSERT INTO record VALUES('"+recordRankType+"', '" +
dateDone + "', '" +requirementID+"', '"+scoutID+"', 'NULL')";
var strQuery = "INSERT INTO record VALUES('"+
connection.escape(recordRankType) +"', '"+
connection.escape(dateDone) +"', '"+
connection.escape(requirementID) +"', '"+
connection.escape(scoutID) +"', 'NULL')";

connection.query( strQuery, function(err, rows)
{if(err) {
Expand All @@ -174,8 +204,12 @@ function insertRecord(recordRankType, dateDone,requirementID,

function insertRequirement(name, description, achievementID, reqElec, connection)
{
var strQuery = "INSERT INTO requirement VALUES('"+name+"', '" + description +
"', '" + achievementID+"', '"+reqElec+ "', 'NULL')";
var strQuery = "INSERT INTO requirement VALUES('"+
connection.escape(name) +"', '" +
connection.escape(description) +"', '" +
connection.escape(achievementID) +"', '"+
connection.escape(reqElec) +"', 'NULL')";

connection.query( strQuery, function(err, rows)
{if(err) {
throw err;
Expand All @@ -190,8 +224,15 @@ function insertRequirement(name, description, achievementID, reqElec, connection
function insertScout(firstName, lastName, birthDate,
packNumber, rankType, parentID, leaderID, connection)
{
var strQuery = "INSERT INTO scout VALUES('"+firstName+"', '" +lastName+"', '"+
birthDate + "', '" + packNumber + "', '"+ rankType+"', '"+parentID+", "+leaderID+"', 'NULL')";
var strQuery = "INSERT INTO scout VALUES('"+
connection.escape(firstName) +"', '"+
connection.escape(lastName) +"', '"+
connection.escape(birthDate) +"', '"+
connection.escape(packNumber) +"', '"+
connection.escape(rankType) +"', '"+
connection.escape(parentID) +"', '"+
connection.escape(leaderID) +"', 'NULL')";

connection.query( strQuery, function(err, rows)
{if(err) {
throw err;
Expand All @@ -204,11 +245,17 @@ function insertScout(firstName, lastName, birthDate,
}

function updateScout(firstName, lastName, birthDate,packNumber,
rankType, parentID, leaderID, scoutID, connection)
rankType, parentID, leaderID, scoutID, connection)
{
var strQuery = "UPDATE scout SET first_name="+firstName+", last_name="+lastName+", birth_date="+
+ ", pack_number=" + + ", rank_type=" + packNumber+", parent_id="+
leaderType +", leader_id="+ rankType+" WHERE scout_id="+id;
var strQuery = "UPDATE scout SET "+
"first_name=" +connection.escape(firstName) +
", last_name=" +connection.escape(lastName) +
", birth_date=" +connection.escape(birthdate) +
", pack_number=" +connection.escape(packNumber) +
", rank_type=" + connection.escape(rankType) +
", parent_id=" +connection.escape(parentID) +
", leader_id=" + connection.escape(leaderID) +
" WHERE scout_id="+connection.escape(id);
connection.query( strQuery, function(err, rows)
{if(err) {
throw err;
Expand All @@ -222,7 +269,7 @@ function updateScout(firstName, lastName, birthDate,packNumber,

function addScoutsToParent(adult, connection)
{
var strQuery = "SELECT * FROM scout WHERE parent_id= '" +adult.rowID+"'";
var strQuery = "SELECT * FROM scout WHERE parent_id= '" +connection.escape(adult.rowID)+"'";

connection.query( strQuery, function(err, rows)
{if(err) {
Expand Down

0 comments on commit b4bc1a3

Please sign in to comment.