From 086267e56128c785fd3ba6fb9180b738cca72a33 Mon Sep 17 00:00:00 2001
From: yikth <netyth@gmail.com>
Date: Sun, 13 Sep 2020 20:47:18 +0800
Subject: [PATCH] add API validation check

---
 nusmoney_backend/routes/accounts.js | 21 ++++++++++++-------
 nusmoney_backend/routes/messages.js | 14 ++++++++++++-
 nusmoney_backend/routes/users.js    | 32 +++++++++++++++++++++++++++--
 3 files changed, 57 insertions(+), 10 deletions(-)

diff --git a/nusmoney_backend/routes/accounts.js b/nusmoney_backend/routes/accounts.js
index 8244cc9..1fe6831 100644
--- a/nusmoney_backend/routes/accounts.js
+++ b/nusmoney_backend/routes/accounts.js
@@ -37,11 +37,11 @@ router.post("/", (request, response) => {
 // ShowAccounts()
 // GET route for /accounts query (AddUser)
 router.get("/", (request, response) => {
-  console.log(request.body);
+  console.log(request.query);
   //
   strQuery = "SELECT * FROM accounts";
   if (request.query.id != null) {
-    strQuery += ` WHERE user_id = ${request.query.id}`
+    strQuery += ` WHERE user_id = ${request.query.id}`;
     }
     else if (request.query.name != null) {
         strQuery = `SELECT u.name, a.* FROM accounts AS a
@@ -49,11 +49,18 @@ router.get("/", (request, response) => {
         ON u.user_id = a.user_id
         WHERE u.name = '${request.query.name}'`;
     }
+    else if (request.query.account_no != null) {
+        strQuery = `SELECT a.* FROM accounts AS a
+        WHERE a.acct_number = '${request.query.account_no}'`;
+
+
+    }
 
   if (request.query.limit > 0) {
       strQuery += ` LIMIT ${request.query.limit}`
   }
-
+  //
+  console.log(strQuery);
   connection.query(strQuery, 
   (err, result) => {
       if (err) {
@@ -67,7 +74,7 @@ router.get("/", (request, response) => {
 
 
 // DeleteAccount()
-// DELETE route for /accounts query 
+// DELETE route for /accounts/{account_no} query 
 router.delete("/:account_no", (request, response) => {
   console.log(request.params);
   //
@@ -85,11 +92,11 @@ router.delete("/:account_no", (request, response) => {
 });
 
 // UpdateAccountBalance()
-// PUT route for /accounts query 
-router.put("/name", (request, response) => {
+// PUT route for /accounts/balance 
+router.put("/balance", (request, response) => {
   console.log(request.body);
   //
-  strQuery = `UPDATE accounts SET balance = ${request.body.balance} WHERE acct_number = ${request.body.account_no})`;
+  strQuery = `UPDATE accounts SET balance = ${request.body.balance} WHERE acct_number = '${request.body.account_no}')`;
   console.log(strQuery);
   connection.query(strQuery, 
   (err, result) => {
diff --git a/nusmoney_backend/routes/messages.js b/nusmoney_backend/routes/messages.js
index cd38660..3a4c4dd 100644
--- a/nusmoney_backend/routes/messages.js
+++ b/nusmoney_backend/routes/messages.js
@@ -21,7 +21,7 @@ router.post("/", (request, response) => {
 // delete message
 router.delete("/:message_id", (request, response) => {
   //
-  connection.query(`DELETE FROM messages WHERE id = ${request.body.message_id}`, 
+  connection.query(`DELETE FROM messages WHERE id = ${request.params.message_id}`, 
   (err, result) => {
       if (err) {
           response.send("Some record error occur");
@@ -38,6 +38,18 @@ router.get("/", (request, response) => {
   console.log(request.body);
   //
   strQuery = "SELECT * FROM messages";
+  if (request.query.id != null) {
+    // validation to prevent show all users
+    // eg. : "123 OR 1=1"
+    if (isNaN(request.query.id)){
+        // invalid id
+        response.send("Invalid id format occur");
+        return;
+      }
+      
+      strQuery += ` WHERE user_id = ${request.query.id}`
+ }
+
   if (request.query.limit > 0) {
       strQuery += ` LIMIT ${request.query.limit}`
   }
diff --git a/nusmoney_backend/routes/users.js b/nusmoney_backend/routes/users.js
index 5c769e8..2bf1005 100644
--- a/nusmoney_backend/routes/users.js
+++ b/nusmoney_backend/routes/users.js
@@ -38,6 +38,14 @@ router.get("/", (request, response) => {
     sql += `WHERE name = '${request.query.name}'`;
   }
   else if (request.query.id != null) {
+    // validation to prevent show all users
+    // eg. : "123 OR 1=1"
+    if (isNaN(request.query.id)){
+      // invalid id
+      response.send("Invalid id format occur");
+      return;
+    }
+    //
     sql += `WHERE user_id = ${request.query.id}`;
   }
 
@@ -59,12 +67,22 @@ router.get("/", (request, response) => {
 });
 
 // UpdateUserName()
-// PUT route for /users?id=xx query
+// PUT route for /users
 // with body = { "name" = "..." }
 router.put("/", (request, response) => {
   //
+  if (request.body.id != null){
+    // validation to prevent update all users
+    // eg. : "123 OR 1=1"
+    if (isNaN(request.body.id)){
+      // invalid id
+      response.send("Invalid id format occur");
+      return;
+    }
+  }
+
   connection.query(`UPDATE users SET name = '${request.body.name}'
-  WHERE user_id = ${request.query.id}`, 
+  WHERE user_id = ${request.body.id}`, 
   (err, result) => {
       if (err) {
           response.send("user id error occur");
@@ -79,6 +97,16 @@ router.put("/", (request, response) => {
 // DELETE route for /users query
 // 
 router.delete("/:id", (request, response) => {
+  //
+  if (request.params.id != null){
+    // validation to prevent delete all users
+    // eg. : "123 OR 1=1"
+    if (isNaN(request.params.id)){
+      // invalid id
+      response.send("Invalid id format occur");
+      return;
+    }
+  }
   //
   let sql = `DELETE FROM users WHERE user_id = ${request.params.id}`;
   console.log(sql);