rspec/rules/S3649/javascript/how-to-fix-it/knex.adoc

== How to fix it in Knex

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
async function index(req, res) {
    const knex = req.app.get('knex');

    let loggedInUser = await knex('users')
        .whereRaw(`user = '${req.query.user}' and pass = '${req.query.pass}'`); // Noncompliant

    res.send(JSON.stringify(loggedInUser));
    res.end();
}
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
async function index(req, res) {
    const knex = req.app.get('knex');

    let loggedInUser = await knex('users')
        .where('user', req.query.user)
        .where('pass', req.query.pass);

    res.send(JSON.stringify(loggedInUser));
    res.end();
}
----

=== How does this work?

:secure_feature: Knex
:unsafe_function: whereRaw()

include::../../common/fix/secure-by-design.adoc[]