theis.gaedigk/ca-lose
3
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

fix: update SQL queries to use parameterized table names for security

Browse Source 
Co-authored-by: Copilot <copilot@github.com>
This commit is contained in:
Theis Gaedigk
2026-05-04 22:40:24 +02:00
parent 4df6d243f3
commit 2a4825269b
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/routes/default/frontend.data.js
+3 -3
View File
@@ -40,7 +40,7 @@ export const confirmUser = async (username) => {
console.log(tableName);
const [createTable] = await pool.query(
`CREATE TABLE IF NOT EXISTS ? (
`CREATE TABLE IF NOT EXISTS ?? (
id INT AUTO_INCREMENT PRIMARY KEY,
Vorname VARCHAR(100) NOT NULL,
Nachname Varchar(100) NOT NULL,
@@ -64,7 +64,7 @@ export const confirmUser = async (username) => {
let nextID;
const getNextID = async () => {
const [rows] = await pool.query(
`SELECT id FROM ? ORDER BY id DESC LIMIT 1`,
`SELECT id FROM ?? ORDER BY id DESC LIMIT 1`,
[tableName],
);
nextID = rows.length > 0 ? rows[0].id + 1 : 1;
@@ -89,7 +89,7 @@ export const newEntry = async (formData, username) => {
const tableName = confirmation.tableName;
const [result] = await pool.query(
`INSERT INTO ? (Vorname, Nachname, EMail, Telefonnummer, Lose, Firmenname, Vorname_Geschaeftlich, Nachname_Geschaeftlich, EMail_Geschaeftlich, Telefonnummer_Geschaeftlich, Strasse_Hausnr, Plz_Ort, Zahlungsmethode) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
`INSERT INTO ?? (Vorname, Nachname, EMail, Telefonnummer, Lose, Firmenname, Vorname_Geschaeftlich, Nachname_Geschaeftlich, EMail_Geschaeftlich, Telefonnummer_Geschaeftlich, Strasse_Hausnr, Plz_Ort, Zahlungsmethode) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
[
tableName,
formData.firstName,