@@ -21,14 +21,14 @@ exports.toggleEntryStatus = function(id, state, callback){
2121 // 1 = confirmed | 2 = removed
2222 let sql ;
2323 if ( state === '1' || state === '2' ) {
24- sql = "UPDATE entries SET status = " + state + " WHERE id = " + id ;
24+ sql = "UPDATE entries SET status = ? WHERE id = ?" ;
2525 } else {
26- callback ( { } , false ) ;
27- return ;
26+ callback ( { } , false ) ;
27+ return ;
2828 }
2929
3030 // make the query
31- connection . query ( sql , function ( err , results ) {
31+ connection . query ( sql , [ state , id ] , function ( err , results ) {
3232 connection . release ( ) ;
3333 if ( err ) { callback ( results , true ) ; return ; }
3434 callback ( results , false ) ;
@@ -39,12 +39,11 @@ exports.toggleEntryStatus = function(id, state, callback){
3939exports . isValidApiKey = function ( secret , callback ) {
4040 pool . getConnection ( function ( err , connection ) {
4141 if ( err ) { console . log ( err ) ; callback ( true ) ; return ; }
42- let sql = "SELECT valid from apikeys WHERE secret = '" + secret + "';" ;
4342
44- console . log ( sql ) ;
43+ let sql = "SELECT valid from apikeys WHERE secret = '?';" ;
4544
4645 // make the query
47- connection . query ( sql , function ( err , results ) {
46+ connection . query ( sql , [ secret ] , function ( err , results ) {
4847 connection . release ( ) ;
4948 if ( err ) { callback ( results , true ) ; return ; }
5049 callback ( results , false ) ;
@@ -57,15 +56,13 @@ exports.getEntries = function(limit, offset, active, callback){
5756 if ( err ) { console . log ( err ) ; callback ( true ) ; return ; }
5857 let sql = '' ;
5958 if ( active === '0' ) {
60- sql = "SELECT * FROM entries ORDER BY ID DESC LIMIT " + limit + " OFFSET " + offset + " ;";
59+ sql = "SELECT * FROM entries ORDER BY ID DESC LIMIT ? OFFSET ? ;" ;
6160 } else {
62- sql = "SELECT * FROM entries WHERE email_confirmed = 1 AND status = 1 ORDER BY ID DESC LIMIT " + limit + " OFFSET " + offset + " ;";
61+ sql = "SELECT * FROM entries WHERE email_confirmed = 1 AND status = 1 ORDER BY ID DESC LIMIT ? OFFSET ? ;" ;
6362 }
6463
65- console . log ( sql ) ;
66-
6764 // make the query
68- connection . query ( sql , function ( err , results ) {
65+ connection . query ( sql , [ limit , offset ] , function ( err , results ) {
6966 connection . release ( ) ;
7067 if ( err ) { callback ( results , true ) ; return ; }
7168 callback ( results , false ) ;
@@ -75,11 +72,12 @@ exports.getEntries = function(limit, offset, active, callback){
7572
7673exports . getUserByHash = function ( hash , callback ) {
7774 pool . getConnection ( function ( err , connection ) {
78- if ( err ) { console . log ( err ) ; callback ( true ) ; return ; }
79- let sql = "SELECT email, firstname from entries WHERE confirm_key = '" + hash + "';" ;
75+ if ( err ) { console . log ( err ) ; callback ( true ) ; return ; }
76+
77+ let sql = "SELECT email, firstname from entries WHERE confirm_key = '?';" ;
8078
8179 // make the query
82- connection . query ( sql , function ( err , results ) {
80+ connection . query ( sql , [ hash ] , function ( err , results ) {
8381 connection . release ( ) ;
8482 if ( err ) { callback ( results , true ) ; return ; }
8583 callback ( results , false ) ;
@@ -90,12 +88,12 @@ exports.getUserByHash = function(hash, callback){
9088exports . verifyEntry = function ( hash , callback ) {
9189 pool . getConnection ( function ( err , connection ) {
9290 if ( err ) { console . log ( err ) ; callback ( true ) ; return ; }
93- let sql = "UPDATE entries set email_confirmed = 1, confirmed_at = " + moment ( ) . valueOf ( ) + " WHERE" ;
94- sql += " confirm_key = '" + hash + "' AND" ;
95- sql += " confirmed_at is null;";
91+
92+ let sql = "UPDATE entries set email_confirmed = 1, confirmed_at = ? "
93+ + "WHERE confirm_key = '?' AND confirmed_at is null;";
9694
9795 // make the query
98- connection . query ( sql , function ( err , results ) {
96+ connection . query ( sql , [ moment ( ) . valueOf ( ) , hash ] , function ( err , results ) {
9997 connection . release ( ) ;
10098 if ( err || results . affectedRows < 1 ) { callback ( results , true ) ; return ; }
10199 callback ( results , false ) ;
@@ -106,6 +104,7 @@ exports.verifyEntry = function(hash, callback){
106104exports . getCount = function ( callback ) {
107105 pool . getConnection ( function ( err , connection ) {
108106 if ( err ) { console . log ( err ) ; callback ( true ) ; return ; }
107+
109108 let sql = "SELECT count(*) as cnt FROM entries WHERE email_confirmed > 0 AND status < 2 AND country != '';" ;
110109
111110 // make the query
@@ -122,45 +121,51 @@ exports.saveEntry = function(fields, callback){
122121 if ( err ) { console . log ( err ) ; callback ( true ) ; return ; }
123122 let data = prepareEntry ( fields ) ;
124123
125- let sqle = "SELECT count(*) as cnt FROM entries WHERE email = '" + data . email + " ';";
126- connection . query ( sqle , function ( err , results ) {
124+ let sqlEmailExists = "SELECT count(*) as cnt FROM entries WHERE email = '? ';" ;
125+ connection . query ( sqlEmailExists , [ data . email ] , function ( err , results ) {
127126 if ( ! err ) {
128127 if ( results [ 0 ] [ 'cnt' ] > 0 ) {
129128 callback ( true ) ;
130129 return ;
131130 } else {
132- let sql = "INSERT INTO entries (firstname, lastname, email, country, message, anon, ipv4, image, created_at, updated_at, confirm_key, beta, newsletter, pax) VALUES (" ;
133- sql += "'" + data . firstname + "', " ;
134- sql += "'" + data . lastname + "', " ;
135- sql += "'" + data . email + "', " ;
136- sql += "'" + data . country + "', " ;
137- sql += "'" + data . message + "', " ;
138- sql += data . anon + ", " ;
139- sql += "'" + data . ipv4 + "', " ;
140- sql += "'" + data . image + "', " ;
141- sql += data . created_at + ", " ;
142- sql += data . updated_at + ", " ;
143- sql += "'" + data . randomHash + "', " ;
144- sql += data . beta + ", " ;
145- sql += data . newsletter + ", " ;
146- sql += data . pax + ");" ;
131+ let sql = "INSERT INTO entries (firstname, lastname, email, country, message, anon, ipv4, image, "
132+ + "created_at, updated_at, confirm_key, beta, newsletter, pax) "
133+ + "VALUES ('?', '?', '?', '?', '?', ?, '?', '?', ?, ?, '?', ?, ?, ?);" ;
147134
148135 // run the query
149- connection . query ( sql , function ( err , results ) {
150- connection . release ( ) ;
151- if ( err ) { callback ( true ) ; return ; }
152- callback ( false , results ) ;
153- } ) ;
136+ connection . query (
137+ sql ,
138+ [
139+ data . firstname ,
140+ data . lastname ,
141+ data . email ,
142+ data . country ,
143+ data . message ,
144+ data . anon ,
145+ data . ipv4 ,
146+ data . image ,
147+ data . created_at ,
148+ data . updated_at ,
149+ data . randomHash ,
150+ data . beta ,
151+ data . newsletter ,
152+ data . pax ,
153+ ] ,
154+ function ( err , results ) {
155+ connection . release ( ) ;
156+ if ( err ) { callback ( true ) ; return ; }
157+ callback ( false , results ) ;
158+ }
159+ ) ;
154160 }
155161 }
156162 } ) ;
157163 } ) ;
158164} ;
159165
160- /*
161- * most fields get sanitized and escaped by node-mysql
166+ /**
162167 * this function is to prevent application errors
163- ** /
168+ */
164169function prepareEntry ( data ) {
165170 let now = moment ( ) . valueOf ( ) ;
166171
@@ -171,4 +176,4 @@ function prepareEntry(data){
171176 data [ "updated_at" ] = now ;
172177
173178 return data ;
174- }
179+ }
0 commit comments