diff --git a/model/auth.js b/model/auth.js
index 1d4c2218..c30eeeff 100644
--- a/model/auth.js
+++ b/model/auth.js
@@ -4,9 +4,9 @@ var config = require("../config"),
function do_auth(username, password) {
var db = pgp(config.db.connectionString);
- var q = "SELECT * FROM users WHERE name = '" + username + "' AND password ='" + password + "';";
+ var q = "SELECT * FROM users WHERE name = $1 AND password = $2;";
- return db.one(q);
+ return db.one(q, [username, password]);
}
module.exports = do_auth;
\ No newline at end of file
diff --git a/model/products.js b/model/products.js
index 6df3f921..c849aa59 100644
--- a/model/products.js
+++ b/model/products.js
@@ -11,41 +11,32 @@ function list_products() {
function getProduct(product_id) {
- var q = "SELECT * FROM products WHERE id = '" + product_id + "';";
+ var q = "SELECT * FROM products WHERE id = $1;";
- return db.one(q);
+ return db.one(q, [product_id]);
}
function search(query) {
- var q = "SELECT * FROM products WHERE name ILIKE '%" + query + "%' OR description ILIKE '%" + query + "%';";
+ var q = "SELECT * FROM products WHERE name ILIKE $1 OR description ILIKE $2;";
- return db.many(q);
+ return db.many(q, ['%' + query + '%', '%' + query + '%']);
}
function purchase(cart) {
- var q = "INSERT INTO purchases(mail, product_name, user_name, product_id, address, phone, ship_date, price) VALUES('" +
- cart.mail + "', '" +
- cart.product_name + "', '" +
- cart.username + "', '" +
- cart.product_id + "', '" +
- cart.address + "', '" +
- cart.ship_date + "', '" +
- cart.phone + "', '" +
- cart.price +
- "');";
+ var q = "INSERT INTO purchases(mail, product_name, user_name, product_id, address, phone, ship_date, price) VALUES($1, $2, $3, $4, $5, $6, $7, $8);";
- return db.one(q);
+ return db.one(q, [cart.mail, cart.product_name, cart.username, cart.product_id, cart.address, cart.phone, cart.ship_date, cart.price]);
}
function get_purcharsed(username) {
- var q = "SELECT * FROM purchases WHERE user_name = '" + username + "';";
+ var q = "SELECT * FROM purchases WHERE user_name = $1;";
- return db.many(q);
+ return db.many(q, [username]);
}
diff --git a/package.json b/package.json
index 3b0a82b4..ad70c016 100644
--- a/package.json
+++ b/package.json
@@ -16,6 +16,7 @@
"log4js": "^0.6.36",
"morgan": "~1.6.1",
"pg-promise": "^4.4.6",
- "serve-favicon": "~2.3.0"
+ "serve-favicon": "~2.3.0",
+ "sanitize-html": "^2.13.1"
}
}
diff --git a/routes/login.js b/routes/login.js
index 5693a4e5..29ad1e5b 100644
--- a/routes/login.js
+++ b/routes/login.js
@@ -1,4 +1,5 @@
var log4js = require("log4js");
+var sanitize = require('sanitize-html');
var url = require("url");
var express = require('express');
var auth = require("../model/auth");
@@ -10,8 +11,8 @@ var logger = log4js.getLogger('vnode')
router.get('/login', function(req, res, next) {
var url_params = url.parse(req.url, true).query;
-
- res.render('login', {returnurl: url_params.returnurl, auth_error: url_params.error});
+ var sanitizedError = sanitize(url_params.error);
+ res.render('login', {returnurl: url_params.returnurl, auth_error: sanitizedError});
});
diff --git a/views/search.ejs b/views/search.ejs
index dd66a962..13a68d8b 100644
--- a/views/search.ejs
+++ b/views/search.ejs
@@ -1,6 +1,6 @@
<% layout('content') %>
-Results for: <%- in_query %>
+Results for: <%= in_query %>
<% if (products.length == 0) { %>
Products not found