Skip to content

User Story: Fix SQL injection in src/javascript/backend/database/queries.js #85

New issue
New issue
Open
Open
User Story: Fix SQL injection in src/javascript/backend/database/queries.js#85
Assignees
KrishiJi
Labels
buggy-fileFiles that are intentionally buggy or brokenneeds-reviewNeeds human reviewsecuritySecurity related issues
@aliAljaffer

Description

@aliAljaffer
aliAljaffer
opened on Oct 13, 2025

As a developer
I want to remove string interpolation from SQL queries in src/javascript/backend/database/queries.js and use parameterized queries
So that the application is not vulnerable to SQL injection attacks

Acceptance Criteria

  • Replace constructs like const query = `SELECT * FROM users WHERE username = '${username}'`; with parameterized queries provided by the DB library (e.g., this.conn.query('SELECT * FROM users WHERE username = ?', [username])).

Details
Found usage of dynamic SQL building via template literals which permits injection. The file contains: SELECT * FROM users WHERE username = '${username}'.

Metadata

Metadata

Assignees

Labels

buggy-fileFiles that are intentionally buggy or brokenneeds-reviewNeeds human reviewsecuritySecurity related issues

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions