Sanitize inputs

[crookse]

Currently, the postgres plugin doesn't sanitize inputs. We should add logic to sanitize our inputs before they're entered into the database. We have some good validation as a starting point in the user_model.ts file. We should expand on our validation efforts.

You can test this by following the steps below:

1. Log in with user1@hotmail.com / Userpass1
2. Go to the Settings page.
3. Update your bio with the following:

' WHERE id = '1'; UPDATE users SET username = 'test

Notice that you're username becomes test.

[ebebbington]

Do you have an idea of how this would be implemented? I'm used to using PDO or having the framework used do this, but not manually

[crookse]

We could just change special characters to entities before they go into the database and then convert them back when we retrieve them

[ebebbington]

Course nice, one, i was thinking of the whole query which is where i was going wrong

So i guess the end result would be:

• All CRUD methods would call a new escapeQueryData method (or whatever name is best) before calling this.prepare
• SELECT method would call a unescapeDBResult (or whatever name is best) to unescape the data at the end of the method, before returning it

[ebebbington]

Asked in pgc4d and deno-postgres to see if they currently have sanitisation implemented, or any plans to. Mainly because it would save us a job of doing it manually.

Note that there is another postgres module mentioned but by no means am i suggestion it, just trying to get as much info as possible

[ebebbington]

Author of pgc4d replied here, and they do encode queries when used with placeholders

[ebebbington]

Seems like deno-postgres does: await client.query("SELECT * FROM ids WHERE id < $1;", 2). Worth checking as hadn't had any confirmation from the owner

[ebebbington]

Postgress currently doesn't, but they do parameterise queries so it means we can strip out logic we have added to do that