nus-fintech-sg
/
fullstackapp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add API validation check

Browse Source
main
yikth 5 years ago
parent 4a4f20d67f
commit 086267e561
3 changed files with 57 additions and 10 deletions
Show Stats Download Patch File Download Diff File

21
nusmoney_backend/routes/accounts.js
Unescape Escape View File

@ -37,11 +37,11 @@ router.post("/", (request, response) => {
// ShowAccounts() // ShowAccounts()
// GET route for /accounts query (AddUser) // GET route for /accounts query (AddUser)
router.get("/", (request, response) => { router.get("/", (request, response) => {
console.log(request.body); console.log(request.query);
// //
strQuery = "SELECT * FROM accounts"; strQuery = "SELECT * FROM accounts";
if (request.query.id != null) { if (request.query.id != null) {
strQuery += ` WHERE user_id = ${request.query.id}` strQuery += ` WHERE user_id = ${request.query.id}`;
} }
else if (request.query.name != null) { else if (request.query.name != null) {
strQuery = `SELECT u.name, a.* FROM accounts AS a strQuery = `SELECT u.name, a.* FROM accounts AS a
@ -49,11 +49,18 @@ router.get("/", (request, response) => {
ON u.user_id = a.user_id ON u.user_id = a.user_id
WHERE u.name = '${request.query.name}'`; WHERE u.name = '${request.query.name}'`;
} }
else if (request.query.account_no != null) {
strQuery = `SELECT a.* FROM accounts AS a
WHERE a.acct_number = '${request.query.account_no}'`;
}
if (request.query.limit > 0) { if (request.query.limit > 0) {
strQuery += ` LIMIT ${request.query.limit}` strQuery += ` LIMIT ${request.query.limit}`
} }
//
console.log(strQuery);
connection.query(strQuery, connection.query(strQuery,
(err, result) => { (err, result) => {
if (err) { if (err) {
@ -67,7 +74,7 @@ router.get("/", (request, response) => {
// DeleteAccount() // DeleteAccount()
// DELETE route for /accounts query // DELETE route for /accounts/{account_no} query
router.delete("/:account_no", (request, response) => { router.delete("/:account_no", (request, response) => {
console.log(request.params); console.log(request.params);
// //
@ -85,11 +92,11 @@ router.delete("/:account_no", (request, response) => {
}); });
// UpdateAccountBalance() // UpdateAccountBalance()
// PUT route for /accounts query // PUT route for /accounts/balance
router.put("/name", (request, response) => { router.put("/balance", (request, response) => {
console.log(request.body); console.log(request.body);
// //
strQuery = `UPDATE accounts SET balance = ${request.body.balance} WHERE acct_number = ${request.body.account_no})`; strQuery = `UPDATE accounts SET balance = ${request.body.balance} WHERE acct_number = '${request.body.account_no}')`;
console.log(strQuery); console.log(strQuery);
connection.query(strQuery, connection.query(strQuery,
(err, result) => { (err, result) => {

14
nusmoney_backend/routes/messages.js
Unescape Escape View File

@ -21,7 +21,7 @@ router.post("/", (request, response) => {
// delete message // delete message
router.delete("/:message_id", (request, response) => { router.delete("/:message_id", (request, response) => {
// //
connection.query(`DELETE FROM messages WHERE id = ${request.body.message_id}`, connection.query(`DELETE FROM messages WHERE id = ${request.params.message_id}`,
(err, result) => { (err, result) => {
if (err) { if (err) {
response.send("Some record error occur"); response.send("Some record error occur");
@ -38,6 +38,18 @@ router.get("/", (request, response) => {
console.log(request.body); console.log(request.body);
// //
strQuery = "SELECT * FROM messages"; strQuery = "SELECT * FROM messages";
if (request.query.id != null) {
// validation to prevent show all users
// eg. : "123 OR 1=1"
if (isNaN(request.query.id)){
// invalid id
response.send("Invalid id format occur");
return;
}
strQuery += ` WHERE user_id = ${request.query.id}`
}
if (request.query.limit > 0) { if (request.query.limit > 0) {
strQuery += ` LIMIT ${request.query.limit}` strQuery += ` LIMIT ${request.query.limit}`
} }

32
nusmoney_backend/routes/users.js
Unescape Escape View File

@ -38,6 +38,14 @@ router.get("/", (request, response) => {
sql += `WHERE name = '${request.query.name}'`; sql += `WHERE name = '${request.query.name}'`;
} }
else if (request.query.id != null) { else if (request.query.id != null) {
// validation to prevent show all users
// eg. : "123 OR 1=1"
if (isNaN(request.query.id)){
// invalid id
response.send("Invalid id format occur");
return;
}
//
sql += `WHERE user_id = ${request.query.id}`; sql += `WHERE user_id = ${request.query.id}`;
} }
@ -59,12 +67,22 @@ router.get("/", (request, response) => {
}); });
// UpdateUserName() // UpdateUserName()
// PUT route for /users?id=xx query // PUT route for /users
// with body = { "name" = "..." } // with body = { "name" = "..." }
router.put("/", (request, response) => { router.put("/", (request, response) => {
// //
if (request.body.id != null){
// validation to prevent update all users
// eg. : "123 OR 1=1"
if (isNaN(request.body.id)){
// invalid id
response.send("Invalid id format occur");
return;
}
}
connection.query(`UPDATE users SET name = '${request.body.name}' connection.query(`UPDATE users SET name = '${request.body.name}'
WHERE user_id = ${request.query.id}`, WHERE user_id = ${request.body.id}`,
(err, result) => { (err, result) => {
if (err) { if (err) {
response.send("user id error occur"); response.send("user id error occur");
@ -79,6 +97,16 @@ router.put("/", (request, response) => {
// DELETE route for /users query // DELETE route for /users query
// //
router.delete("/:id", (request, response) => { router.delete("/:id", (request, response) => {
//
if (request.params.id != null){
// validation to prevent delete all users
// eg. : "123 OR 1=1"
if (isNaN(request.params.id)){
// invalid id
response.send("Invalid id format occur");
return;
}
}
// //
let sql = `DELETE FROM users WHERE user_id = ${request.params.id}`; let sql = `DELETE FROM users WHERE user_id = ${request.params.id}`;
console.log(sql); console.log(sql);

Write Preview
Loading…
Cancel
Save