Skip to content

Commit

Permalink
Switch string concatenation to placeholders.
Browse files Browse the repository at this point in the history
The current method is open to SQL injection attacks, see: TryGhost/node-sqlite3#57
  • Loading branch information
AnnAddicks authored Aug 9, 2017
1 parent 8d61bea commit 7f6b343
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion app/db/user.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ var UserManager = {
});
},
createUser: function(user){
var stmt = db.prepare("INSERT INTO users(name, email) VALUES ('"+user.name+"','"+user.email+"')");
var stmt = db.prepare("INSERT INTO users(name, email) VALUES (?, ?)", [user.name, user.email]);
stmt.run();
stmt.finalize();
}
Expand Down

0 comments on commit 7f6b343

Please sign in to comment.