zias/stats
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

🙊 escape sql strings

Browse Source
This commit is contained in:
Carl-Gerhard Lindesvärd
2024-03-28 15:57:13 +01:00
parent 40b98f36a4
commit ecf68463c9
16 changed files with 104 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
apps/api/src/controllers/live.controller.ts
View File

@@ -1,4 +1,5 @@
import type { FastifyReply, FastifyRequest } from 'fastify';
import { escape } from 'sqlstring';
import type * as WebSocket from 'ws';
import { getSafeJson } from '@openpanel/common';
@@ -19,7 +20,7 @@ export async function test(
reply: FastifyReply
) {
const [event] = await getEvents(
`SELECT * FROM events WHERE project_id = '${req.params.projectId}' AND name = 'screen_view' LIMIT 1`
`SELECT * FROM events WHERE project_id = ${escape(req.params.projectId)} AND name = 'screen_view' LIMIT 1`
);
if (!event) {
return reply.status(404).send('No event found');