Remove SQL injection on GET /core/:id endpoint with parameterized statement.

2015-07-16 14:15:06 -04:00 · 2015-07-16 14:15:06 -04:00 · 5f07c25ade
commit 5f07c25ade
parent f919c51f33
1 changed files with 1 additions and 1 deletions
--- a/server.js
+++ b/server.js
@ -86,7 +86,7 @@ app.get('/core/:id', function(req, res){
    var d = new Date();
    var coreId = req.params.id;
    console.log("GET /core/" + coreId + ", " + JSON.stringify(d, 4));
-    db.all("SELECT coreId, published_at, status, coreName FROM Alerts WHERE coreId = '" + coreId + "' ORDER BY published_at DESC LIMIT 30;", function(err, rows){
+    db.all("SELECT coreId, published_at, status, coreName FROM Alerts WHERE coreId = ? ORDER BY published_at DESC LIMIT 30;", coreId, function(err, rows){
        if(err !== null) {
            console.log(err);
        } else {