From 0c716bccacdce8ca84d44f597d6e7fdfc64b28f5 Mon Sep 17 00:00:00 2001
From: Fabien Zucchet <fabien.zucchet@student-cs.fr>
Date: Tue, 2 Mar 2021 13:37:19 +0100
Subject: [PATCH] Try to fix SQL injections

---
 back/src/controllers/administrateur.controller.js | 6 +++---
 back/src/tools/sql.js                             | 9 ---------
 2 files changed, 3 insertions(+), 12 deletions(-)
 delete mode 100644 back/src/tools/sql.js

diff --git a/back/src/controllers/administrateur.controller.js b/back/src/controllers/administrateur.controller.js
index b8257179..3d118e87 100644
--- a/back/src/controllers/administrateur.controller.js
+++ b/back/src/controllers/administrateur.controller.js
@@ -1,6 +1,5 @@
 const mysql = require('mysql');
 const fetch = require('node-fetch');
-const sql = require('../tools/sql.js')
 var secrets = require('../secrets.js');
 var dbhost = secrets.dbhost;
 var dbuser = secrets.dbuser;
@@ -45,9 +44,10 @@ function addNewAdministrateur(req, res) {
 
 function updateAdministrateur(req, res) {
   var con = mysql.createConnection(dbConfig);
-  var query = "UPDATE Admin SET login = '" + req.body.login + "' WHERE id=" + req.body.id + ";"
+  var query = "UPDATE Admin SET login = ? WHERE id=?;"
+  var inserts = [req.body.login, req.body.id];
   con.connect();
-  con.query(query, (err, result) => {
+  con.query(query, inserts, (err, result) => {
     if (err) {
       console.log(err)
       return res.send({ success: false })
diff --git a/back/src/tools/sql.js b/back/src/tools/sql.js
deleted file mode 100644
index dc341d81..00000000
--- a/back/src/tools/sql.js
+++ /dev/null
@@ -1,9 +0,0 @@
-exports.preparer = function (mysql, requete_sql, inserts) {
-    requete_sql = mysql.format(requete_sql, inserts)
-        // nous utilisons la méthode .remplace avec une expression régulière
-        // pour supprimer les accents graves et les points
-        .replace(/`/g, "'")
-        .replace(/'\.'/g, ".")
-        .replace(/'/g, "\\'");
-    return requete_sql;
-}
\ No newline at end of file
-- 
GitLab