Skip to content

Commit 6309ee5

Browse files
VictoriaDem17VictoriaDem17
committed
Warmup-nodejs/week3
1 parent 2abed2b commit 6309ee5

File tree

2 files changed

+104
-0
lines changed

2 files changed

+104
-0
lines changed

6_nodejs/week3/app.js

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
import knex from "knex";
2+
const knexInstance = knex({
3+
client: "mysql2",
4+
connection: {
5+
host: process.env.DB_HOST || "127.0.0.1",
6+
port: process.env.DB_PORT || 3307,
7+
user: process.env.DB_USER || "root",
8+
password: process.env.DB_PASSWORD || "pass",
9+
database: process.env.DB_NAME || "hyf_node_week3_warmup",
10+
multipleStatements: true,
11+
},
12+
});
13+
14+
import express from "express";
15+
const app = express();
16+
const port = process.env.PORT || 3003;
17+
18+
app.use(express.json());
19+
20+
const apiRouter = express.Router();
21+
app.use("/api", apiRouter);
22+
23+
const contactsAPIRouter = express.Router();
24+
apiRouter.use("/contacts", contactsAPIRouter);
25+
26+
/* SQL Injection
27+
SQL injection happens when the user, instead of inputting the valid data,
28+
inputs a SQL statement that ultimately gets executed on the database.
29+
The best defense against these kinds of attacks are the framework-supported,
30+
SQL-prepared statements or using named parameters.
31+
*/
32+
33+
// SQL injection cheat sheet - https://portswigger.net/web-security/sql-injection/cheat-sheet
34+
35+
contactsAPIRouter.get("/", async (req, res) => {
36+
let query = knexInstance.select("*").from("contacts");
37+
38+
if ("sort" in req.query) {
39+
const orderBy = req.query.sort.toString();
40+
// preventing SQL injection using parameterized queries instead of string concatenation
41+
const preparedStatementQueries = [
42+
"first_name",
43+
"last_name",
44+
"email",
45+
"phone",
46+
];
47+
if (orderBy.length > 0 && preparedStatementQueries.includes(orderBy)) {
48+
query = query.orderBy(orderBy);
49+
}
50+
}
51+
52+
console.log("SQL", query.toSQL().sql);
53+
54+
try {
55+
const data = await query;
56+
res.json({ data });
57+
} catch (e) {
58+
console.error(e);
59+
res.status(500).json({ error: "Internal server error" });
60+
}
61+
});
62+
63+
app.listen(port, () => {
64+
console.log(`Listening on port ${port}`);
65+
});

6_nodejs/week3/hyf_node_week3_warmup.sql

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
CREATE DATABASE hyf_node_week3_warmup;
2+
3+
USE hyf_node_week3_warmup;
4+
5+
CREATE TABLE `contacts` (
6+
`id` int unsigned NOT NULL AUTO_INCREMENT,
7+
`first_name` varchar(255) NOT NULL,
8+
`last_name` varchar(255) NOT NULL,
9+
`email` varchar(255) DEFAULT NULL,
10+
`phone` varchar(255) DEFAULT NULL,
11+
PRIMARY KEY (`id`)
12+
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
13+
14+
-- Sample data
15+
insert into contacts (id, first_name, last_name, email, phone) values (1, 'Selig', 'Matussov', '[email protected]', '176-630-4577');
16+
insert into contacts (id, first_name, last_name, email, phone) values (2, 'Kenny', 'Yerrington', null, null);
17+
insert into contacts (id, first_name, last_name, email, phone) values (3, 'Emilie', 'Gaitskell', null, null);
18+
insert into contacts (id, first_name, last_name, email, phone) values (4, 'Jordon', 'Tokell', null, null);
19+
insert into contacts (id, first_name, last_name, email, phone) values (5, 'Sallyann', 'Persse', '[email protected]', '219-157-2368');
20+
insert into contacts (id, first_name, last_name, email, phone) values (6, 'Berri', 'Bulter', null, null);
21+
insert into contacts (id, first_name, last_name, email, phone) values (7, 'Lanni', 'Ivanilov', '[email protected]', null);
22+
insert into contacts (id, first_name, last_name, email, phone) values (8, 'Dagny', 'Milnthorpe', null, null);
23+
insert into contacts (id, first_name, last_name, email, phone) values (9, 'Annadiane', 'Bansal', null, null);
24+
insert into contacts (id, first_name, last_name, email, phone) values (10, 'Tawsha', 'Hackley', null, null);
25+
insert into contacts (id, first_name, last_name, email, phone) values (11, 'Rubetta', 'Ozelton', null, null);
26+
insert into contacts (id, first_name, last_name, email, phone) values (12, 'Charles', 'Boughey', '[email protected]', '605-358-5664');
27+
insert into contacts (id, first_name, last_name, email, phone) values (13, 'Shantee', 'Robbe', null, null);
28+
insert into contacts (id, first_name, last_name, email, phone) values (14, 'Gleda', 'Peat', null, null);
29+
insert into contacts (id, first_name, last_name, email, phone) values (15, 'Arlinda', 'Ethersey', '[email protected]', '916-139-1300');
30+
insert into contacts (id, first_name, last_name, email, phone) values (16, 'Armando', 'Meachem', '[email protected]', '631-442-5339');
31+
insert into contacts (id, first_name, last_name, email, phone) values (17, 'Codi', 'Redhouse', null, '401-953-6897');
32+
insert into contacts (id, first_name, last_name, email, phone) values (18, 'Ann', 'Buncombe', '[email protected]', '210-338-0748');
33+
insert into contacts (id, first_name, last_name, email, phone) values (19, 'Louis', 'Matzkaitis', '[email protected]', '583-996-6979');
34+
insert into contacts (id, first_name, last_name, email, phone) values (20, 'Jessey', 'Pala', null, null);
35+
insert into contacts (id, first_name, last_name, email, phone) values (21, 'Archy', 'Scipsey', '[email protected]', '420-983-2426');
36+
insert into contacts (id, first_name, last_name, email, phone) values (22, 'Benoit', 'Mould', '[email protected]', '271-217-9218');
37+
insert into contacts (id, first_name, last_name, email, phone) values (23, 'Sherm', 'Girardey', '[email protected]', '916-999-2957');
38+
insert into contacts (id, first_name, last_name, email, phone) values (24, 'Raquel', 'Mudge', '[email protected]', '789-830-7473');
39+
insert into contacts (id, first_name, last_name, email, phone) values (25, 'Tabor', 'Reavey', null, null);

0 commit comments

Comments
 (0)