add API validation check

5 years ago · 086267e561
parent 4a4f20d67f
commit 086267e561
3 changed files with 57 additions and 10 deletions
--- a/nusmoney_backend/routes/accounts.js
+++ b/nusmoney_backend/routes/accounts.js
@ -37,11 +37,11 @@ router.post("/", (request, response) => {
 // ShowAccounts()
 // GET route for /accounts query (AddUser)
 router.get("/", (request, response) => {
-  console.log(request.body);
+  console.log(request.query);
  //
  strQuery = "SELECT * FROM accounts";
  if (request.query.id != null) {
-    strQuery += ` WHERE user_id = ${request.query.id}`
+    strQuery += ` WHERE user_id = ${request.query.id}`;
    }
    else if (request.query.name != null) {
        strQuery = `SELECT u.name, a.* FROM accounts AS a
@ -49,11 +49,18 @@ router.get("/", (request, response) => {
        ON u.user_id = a.user_id
        WHERE u.name = '${request.query.name}'`;
    }
+    else if (request.query.account_no != null) {
+        strQuery = `SELECT a.* FROM accounts AS a
+        WHERE a.acct_number = '${request.query.account_no}'`;
+
+
+    }

  if (request.query.limit > 0) {
      strQuery += ` LIMIT ${request.query.limit}`
  }
-
+  //
+  console.log(strQuery);
  connection.query(strQuery, 
  (err, result) => {
      if (err) {
@ -67,7 +74,7 @@ router.get("/", (request, response) => {


 // DeleteAccount()
-// DELETE route for /accounts query 
+// DELETE route for /accounts/{account_no} query 
 router.delete("/:account_no", (request, response) => {
  console.log(request.params);
  //
@ -85,11 +92,11 @@ router.delete("/:account_no", (request, response) => {
 });

 // UpdateAccountBalance()
-// PUT route for /accounts query 
-router.put("/name", (request, response) => {
+// PUT route for /accounts/balance 
+router.put("/balance", (request, response) => {
  console.log(request.body);
  //
-  strQuery = `UPDATE accounts SET balance = ${request.body.balance} WHERE acct_number = ${request.body.account_no})`;
+  strQuery = `UPDATE accounts SET balance = ${request.body.balance} WHERE acct_number = '${request.body.account_no}')`;
  console.log(strQuery);
  connection.query(strQuery, 
  (err, result) => {
--- a/nusmoney_backend/routes/messages.js
+++ b/nusmoney_backend/routes/messages.js
@ -21,7 +21,7 @@ router.post("/", (request, response) => {
 // delete message
 router.delete("/:message_id", (request, response) => {
  //
-  connection.query(`DELETE FROM messages WHERE id = ${request.body.message_id}`, 
+  connection.query(`DELETE FROM messages WHERE id = ${request.params.message_id}`, 
  (err, result) => {
      if (err) {
          response.send("Some record error occur");
@ -38,6 +38,18 @@ router.get("/", (request, response) => {
  console.log(request.body);
  //
  strQuery = "SELECT * FROM messages";
+  if (request.query.id != null) {
+    // validation to prevent show all users
+    // eg. : "123 OR 1=1"
+    if (isNaN(request.query.id)){
+        // invalid id
+        response.send("Invalid id format occur");
+        return;
+      }
+      
+      strQuery += ` WHERE user_id = ${request.query.id}`
+ }
+
  if (request.query.limit > 0) {
      strQuery += ` LIMIT ${request.query.limit}`
  }
--- a/nusmoney_backend/routes/users.js
+++ b/nusmoney_backend/routes/users.js
@ -38,6 +38,14 @@ router.get("/", (request, response) => {
    sql += `WHERE name = '${request.query.name}'`;
  }
  else if (request.query.id != null) {
+    // validation to prevent show all users
+    // eg. : "123 OR 1=1"
+    if (isNaN(request.query.id)){
+      // invalid id
+      response.send("Invalid id format occur");
+      return;
+    }
+    //
    sql += `WHERE user_id = ${request.query.id}`;
  }

@ -59,12 +67,22 @@ router.get("/", (request, response) => {
 });

 // UpdateUserName()
-// PUT route for /users?id=xx query
+// PUT route for /users
 // with body = { "name" = "..." }
 router.put("/", (request, response) => {
  //
+  if (request.body.id != null){
+    // validation to prevent update all users
+    // eg. : "123 OR 1=1"
+    if (isNaN(request.body.id)){
+      // invalid id
+      response.send("Invalid id format occur");
+      return;
+    }
+  }
+
  connection.query(`UPDATE users SET name = '${request.body.name}'
-  WHERE user_id = ${request.query.id}`, 
+  WHERE user_id = ${request.body.id}`, 
  (err, result) => {
      if (err) {
          response.send("user id error occur");
@ -79,6 +97,16 @@ router.put("/", (request, response) => {
 // DELETE route for /users query
 // 
 router.delete("/:id", (request, response) => {
+  //
+  if (request.params.id != null){
+    // validation to prevent delete all users
+    // eg. : "123 OR 1=1"
+    if (isNaN(request.params.id)){
+      // invalid id
+      response.send("Invalid id format occur");
+      return;
+    }
+  }
  //
  let sql = `DELETE FROM users WHERE user_id = ${request.params.id}`;
  console.log(sql);