From 5f07c25ade3b17fcc048b209892fee99e2bbd75f Mon Sep 17 00:00:00 2001
From: jkaplon <jody@kaplon.us>
Date: Thu, 16 Jul 2015 14:15:06 -0400
Subject: [PATCH] Remove SQL injection on GET /core/:id endpoint with
 parameterized statement.

---
 server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server.js b/server.js
index 26398b6..cae306f 100644
--- a/server.js
+++ b/server.js
@@ -86,7 +86,7 @@ app.get('/core/:id', function(req, res){
     var d = new Date();
     var coreId = req.params.id;
     console.log("GET /core/" + coreId + ", " + JSON.stringify(d, 4));
-    db.all("SELECT coreId, published_at, status, coreName FROM Alerts WHERE coreId = '" + coreId + "' ORDER BY published_at DESC LIMIT 30;", function(err, rows){
+    db.all("SELECT coreId, published_at, status, coreName FROM Alerts WHERE coreId = ? ORDER BY published_at DESC LIMIT 30;", coreId, function(err, rows){
         if(err !== null) {
             console.log(err);
         } else {