46 lines
1.1 KiB
Plaintext
46 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
var db = require('./mysql/dbConnection.js');
|
|
|
|
function (req, res) {
|
|
var name = req.query.name; // user controlled input
|
|
var password = crypto.createHash('sha256').update(req.query.password).digest('base64');
|
|
|
|
var sql = "select * from user where name = '" + name + "' and password = '" + password + "'";
|
|
|
|
db.query(sql, function(err, result) { // Noncompliant
|
|
// something
|
|
})
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
var db = require('./mysql/dbConnection.js');
|
|
|
|
function (req, res) {
|
|
var name = req.query.name; // user controlled input
|
|
var password = crypto.createHash('sha256').update(req.query.password).digest('base64');
|
|
|
|
var sql = "select * from user where name = ? and password = ?"; // the query is parameterized
|
|
|
|
db.query(sql, [name, password], function(err, result) { // Compliant
|
|
// something
|
|
})
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|