Fix SQL injection/special values when cleaning database

L-U-M-E-N · Oct 27, 2023 · 7463d83 · 7463d83
1 parent 0d508a6
commit 7463d83
Showing 1 changed file with 25 additions and 25 deletions.
diff --git a/main.server.js b/main.server.js
@@ -40,59 +40,59 @@ export default class FocusStats {
 			// Rename in history
 			await Database.execQuery(`
 				UPDATE focus_stats
-				SET name = REPLACE(name, '${oldVal}', '${newVal}'), exe = REPLACE(exe, '${oldVal}', '${newVal}')
-				WHERE exe LIKE '%${oldVal}%'
-				OR 	 name LIKE '%${oldVal}%'
-			`);
+				SET name = REPLACE(name, $1, $2), exe = REPLACE(exe, $1, $2)
+				WHERE exe LIKE '%' || $1 || '%'
+				OR 	 name LIKE '%' || $1 || '%'
+			`, [oldVal, newVal]);
 
 			// Remove tagging, it'll be re-push if not duplicate with right values
 			await Database.execQuery(`
 				DELETE FROM focus_stats_tags
-					WHERE exe LIKE '%${oldVal}%'
-					OR 	 name LIKE '%${oldVal}%'
-			`);
+					WHERE exe LIKE '%' || $1 || '%'
+					OR 	 name LIKE '%' || $1 || '%'
+			`, [oldVal]);
 		}
 
 		for(const value of config['cleaner']['keepEndOnly']) {
 			log(`	Database - Keep end only "${value}"`);
 
 			// Rename in history
 			await Database.execQuery(`
-				UPDATE focus_stats SET exe = '${value}'
-				WHERE exe LIKE '%${value}'
-			`);
+				UPDATE focus_stats SET exe = $1
+				WHERE exe LIKE '%' || $1
+			`, [value]);
 			await Database.execQuery(`
-				UPDATE focus_stats SET name = '${value}'
-				WHERE name LIKE '%${value}'
-			`);
+				UPDATE focus_stats SET name = $1
+				WHERE name LIKE '%' || $1
+			`, [value]);
 
 			// Remove tagging, it'll be re-push if not duplicate with right values
 			await Database.execQuery(`
 				DELETE FROM focus_stats_tags
-					WHERE exe LIKE '%${value}'
-					OR 	 name LIKE '%${value}'
-			`);
+					WHERE exe LIKE '%' || $1
+					OR 	 name LIKE '%' || $1
+			`, [value]);
 		}
 
 		for(const value of config['cleaner']['keepStartOnly']) {
 			log(`	Database - Keep start only "${value}"`);
 
 			// Rename in history
 			await Database.execQuery(`
-				UPDATE focus_stats SET exe = '${value}'
-				WHERE exe LIKE '${value}%'
-			`);
+				UPDATE focus_stats SET exe = $1
+				WHERE exe LIKE $1 || '%'
+			`, [value]);
 			await Database.execQuery(`
-				UPDATE focus_stats SET name = '${value}'
-				WHERE name LIKE '${value}%'
-			`);
+				UPDATE focus_stats SET name = $1
+				WHERE name LIKE $1 || '%'
+			`, [value]);
 
 			// Remove tagging, it'll be re-push if not duplicate with right values
 			await Database.execQuery(`
 				DELETE FROM focus_stats_tags
-					WHERE exe LIKE '${value}%'
-					OR 	 name LIKE '${value}%'
-			`);
+					WHERE exe LIKE $1 || '%'
+					OR 	 name LIKE $1 || '%'
+			`, [value]);
 		}
 
 		log('Cleaned database data !')