change to sanitize sql input

GSA · Oct 30, 2024 · fbaf725 · fbaf725
1 parent 24b0219
commit fbaf725
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/api/controllers/base.controller.js b/api/controllers/base.controller.js
@@ -7,6 +7,8 @@ const sql = require("../db.js").connection,
   { google } = require("googleapis")
   fastcsv = require("fast-csv");
 
+const SqlString = require('sqlstring');
+
 // If modifying these scopes, delete token.json.
 const SCOPES = ["https://www.googleapis.com/auth/spreadsheets.readonly"];
 // The file token.json stores the user's access and refresh tokens, and is
@@ -97,8 +99,7 @@ function buildLogQuery(conn, event, user, msg, response) {
 
 async function buildLogQueryAsync(conn, event, user, msg) {
   // 
-  var query = `insert into gear_log.event (Event, User, DTG) values ('${event}', '${user}', now());`;
-  console.log(query);
+  var query = `insert into gear_log.event (Event, User, DTG) values ('${SqlString.escape(event)}', '${SqlString.escape(user)}', now());`;
   try {
     await conn.promise().query(query);
     return JSON.stringify(data);