Personal-Blog-System icon indicating copy to clipboard operation
Personal-Blog-System copied to clipboard
verified publisher icon CQBoyBrand

Use Parameterized Queries in TypeORM query Method

Open inkz opened this issue 1 year ago • 1 comments

Currently, some queries in the codebase use string interpolation to pass user input into raw SQL queries via the query method in TypeORM. This approach can lead to SQL injection vulnerabilities if untrusted input is used.

e.g. https://github.com/CQBoyBrand/Personal-Blog-System/blob/master/server/apps/frontend/src/article/article.service.ts#L104

This approach directly interpolates user input, making it susceptible to SQL injection attacks. Refactor queries to use parameterized inputs instead of string interpolation.

example:

const users = await dataSource.query(
  "SELECT * FROM user WHERE email = $1",
  [email]
);

inkz avatar Feb 26 '25 21:02 inkz

Thanks for the feedback, I will deal with this problem as soon as possible

CQBoyBrand avatar Feb 27 '25 05:02 CQBoyBrand