@@ routes/auth.js @@
−// no auth, no validation
−app.get('/users', (req, res) => {
− const id = req.query.id // from URL, untrusted
− db.query(`SELECT * FROM users WHERE id = ${id}`) // SQL injection
− .then(data => res.json(data))
−}
Anyone visiting your site can type ?id=1 OR 1=1 in the URL and read every user's name, email, and password from your database. No hacking skills needed — just a browser.
+app.get('/users', verifyToken, async (req, res) => {
+ const id = parseInt(req.query.id, 10)
+ if (isNaN(id)) return res.status(400).end()
+ const { rows } = await db.query(
+ 'SELECT id, name FROM users WHERE id = $1',
+ [id]
+ )
+ res.json(rows[0] ?? null)
}