SQL Injection Vulnerability on Security Bot

[delusko22]

Vulnerable code is on the following line:

Aroah_Security_Bot_Discord/commands/config/editprefix.js

Line 44 in c737dd5

client.db.query(`UPDATE server SET prefix = '${args[1]}' WHERE serverID = '${message.guildID}'`)

By passing raw values into your SQL statements, people can perform SQL injections easily.
You need to escape the input or use parameters as in the examples below.

client.db.query(`UPDATE server SET prefix = ? WHERE serverID = '${message.guildID}'`, [args[1]]) 
client.db.query(`UPDATE server SET prefix = '${client.db.escape(args[1])}' WHERE serverID = '${message.guildID}'`) 

[AdamT20054]

I'll make a fork for the fix if I get some time later, dont know if the owner is still active on this repo?

[Logipek]

Hello
of course I'm still active on github it's true that it was one of my first bot and that there were some errors

it's with pleasure I'm waiting for your fork