Skip to content
Permalink
Browse files Browse the repository at this point in the history
Escaping to prevent sql injections & others issues
  • Loading branch information
gperson committed Jan 8, 2015
1 parent df486c8 commit a29d8ae
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 3 deletions.
2 changes: 1 addition & 1 deletion app/app.js
Expand Up @@ -30,7 +30,7 @@ app.controller('projectCtrl', function($scope, $location, $http, myFactory) {
$scope.switchProject = function(project){
myFactory.set(project);
$scope.project.name = project.substring(6);
$location.path('/app/index.html#/view1');
$location.path('/app/index.html#/tests');
};
});

Expand Down
5 changes: 3 additions & 2 deletions rest-server/data-server.js
Expand Up @@ -135,7 +135,8 @@ function getProjectTables(response){
*/
function addNote(request, response, note){
var parts = url.parse(request.url,true);
var query = connection.query("INSERT INTO notes_"+(parts.query.table).substring(6)+" (testId,who,note) VALUES ("+note.testId+",'" + note.who + "','"+note.note+"')", function(err, rows, fields) {
var queryStr = "INSERT INTO notes_"+(parts.query.table).substring(6)+" (testId,who,note) VALUES ("+connection.escape(note.testId)+"," + connection.escape(note.who) + ","+connection.escape(note.note)+")";
var query = connection.query(queryStr,function(err, rows, fields) {
if (err) {
response.statusCode = 400;
console.log(err);
Expand Down Expand Up @@ -163,7 +164,7 @@ function addTest(request, response, body){
start = start.getFullYear()+"-"+(start.getMonth()+1)+"-"+start.getDate()+" "+start.getHours()+":"+start.getMinutes()+":"+start.getSeconds();
end = end.getFullYear()+"-"+(end.getMonth()+1)+"-"+end.getDate()+" "+end.getHours()+":"+end.getMinutes()+":"+end.getSeconds();

var queryStr = "INSERT INTO "+table+" (name,param,error,start,end,status,extra,runInfo) VALUES ('"+test.name+"','" + test.param + "','"+test.error+ "','"+start+ "','"+end+ "','"+test.status+ "','"+test.extra+ "','"+test.runInfo+"')";
var queryStr = "INSERT INTO "+table+" (name,param,error,start,end,status,extra,runInfo) VALUES ("+connection.escape(test.name)+"','" + connection.escape(test.param) + ","+connection.escape(test.error)+ "','"+start+ "','"+end+ "',"+connection.escape(test.status)+ ","+connection.escape(test.extra)+ ","+connection.escape(test.runInfo)+")";
var query = connection.query(queryStr, function(err, rows, fields) {
if (err) {
response.statusCode = 400;
Expand Down

0 comments on commit a29d8ae

Please sign in to comment.