Skip to content

Commit

Permalink
Warmup-nodejs/week3
Browse files Browse the repository at this point in the history
  • Loading branch information
@VictoriaDem17
VictoriaDem17 committed Mar 9, 2024
1 parent 2abed2b commit 6309ee5
Show file tree
Hide file tree
Showing 2 changed files with 104 additions and 0 deletions.
65 changes: 65 additions & 0 deletions 6_nodejs/week3/app.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
import knex from "knex";
const knexInstance = knex({
client: "mysql2",
connection: {
host: process.env.DB_HOST || "127.0.0.1",
port: process.env.DB_PORT || 3307,
user: process.env.DB_USER || "root",
password: process.env.DB_PASSWORD || "pass",
database: process.env.DB_NAME || "hyf_node_week3_warmup",
multipleStatements: true,
},
});

import express from "express";
const app = express();
const port = process.env.PORT || 3003;

app.use(express.json());

const apiRouter = express.Router();
app.use("/api", apiRouter);

const contactsAPIRouter = express.Router();
apiRouter.use("/contacts", contactsAPIRouter);

/* SQL Injection
SQL injection happens when the user, instead of inputting the valid data,
inputs a SQL statement that ultimately gets executed on the database.
The best defense against these kinds of attacks are the framework-supported,
SQL-prepared statements or using named parameters.
*/

// SQL injection cheat sheet - https://portswigger.net/web-security/sql-injection/cheat-sheet

contactsAPIRouter.get("/", async (req, res) => {
let query = knexInstance.select("*").from("contacts");

if ("sort" in req.query) {
const orderBy = req.query.sort.toString();
// preventing SQL injection using parameterized queries instead of string concatenation
const preparedStatementQueries = [
"first_name",
"last_name",
"email",
"phone",
];
if (orderBy.length > 0 && preparedStatementQueries.includes(orderBy)) {
query = query.orderBy(orderBy);
}
}

console.log("SQL", query.toSQL().sql);

try {
const data = await query;
res.json({ data });
} catch (e) {
console.error(e);
res.status(500).json({ error: "Internal server error" });
}
});

app.listen(port, () => {
console.log(`Listening on port ${port}`);
});
39 changes: 39 additions & 0 deletions 6_nodejs/week3/hyf_node_week3_warmup.sql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
CREATE DATABASE hyf_node_week3_warmup;

USE hyf_node_week3_warmup;

CREATE TABLE `contacts` (
`id` int unsigned NOT NULL AUTO_INCREMENT,
`first_name` varchar(255) NOT NULL,
`last_name` varchar(255) NOT NULL,
`email` varchar(255) DEFAULT NULL,
`phone` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

-- Sample data
insert into contacts (id, first_name, last_name, email, phone) values (1, 'Selig', 'Matussov', '[email protected]', '176-630-4577');
insert into contacts (id, first_name, last_name, email, phone) values (2, 'Kenny', 'Yerrington', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (3, 'Emilie', 'Gaitskell', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (4, 'Jordon', 'Tokell', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (5, 'Sallyann', 'Persse', '[email protected]', '219-157-2368');
insert into contacts (id, first_name, last_name, email, phone) values (6, 'Berri', 'Bulter', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (7, 'Lanni', 'Ivanilov', '[email protected]', null);
insert into contacts (id, first_name, last_name, email, phone) values (8, 'Dagny', 'Milnthorpe', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (9, 'Annadiane', 'Bansal', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (10, 'Tawsha', 'Hackley', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (11, 'Rubetta', 'Ozelton', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (12, 'Charles', 'Boughey', '[email protected]', '605-358-5664');
insert into contacts (id, first_name, last_name, email, phone) values (13, 'Shantee', 'Robbe', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (14, 'Gleda', 'Peat', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (15, 'Arlinda', 'Ethersey', '[email protected]', '916-139-1300');
insert into contacts (id, first_name, last_name, email, phone) values (16, 'Armando', 'Meachem', '[email protected]', '631-442-5339');
insert into contacts (id, first_name, last_name, email, phone) values (17, 'Codi', 'Redhouse', null, '401-953-6897');
insert into contacts (id, first_name, last_name, email, phone) values (18, 'Ann', 'Buncombe', '[email protected]', '210-338-0748');
insert into contacts (id, first_name, last_name, email, phone) values (19, 'Louis', 'Matzkaitis', '[email protected]', '583-996-6979');
insert into contacts (id, first_name, last_name, email, phone) values (20, 'Jessey', 'Pala', null, null);
insert into contacts (id, first_name, last_name, email, phone) values (21, 'Archy', 'Scipsey', '[email protected]', '420-983-2426');
insert into contacts (id, first_name, last_name, email, phone) values (22, 'Benoit', 'Mould', '[email protected]', '271-217-9218');
insert into contacts (id, first_name, last_name, email, phone) values (23, 'Sherm', 'Girardey', '[email protected]', '916-999-2957');
insert into contacts (id, first_name, last_name, email, phone) values (24, 'Raquel', 'Mudge', '[email protected]', '789-830-7473');
insert into contacts (id, first_name, last_name, email, phone) values (25, 'Tabor', 'Reavey', null, null);

0 comments on commit 6309ee5

Please sign in to comment.