sql-injection.js

const express = require("express");
const sqlite3 = require("sqlite3").verbose();
const app = express();

app.use(express.json());

const db = new sqlite3.Database(":memory:");

db.serialize(() => {
  db.run("CREATE TABLE users (id INT, username TEXT, password TEXT)");

  const stmt = db.prepare("INSERT INTO users VALUES (?, ?, ?)");
  stmt.run(1, "admin", "password123");
  stmt.run(2, "user", "userpass");
  stmt.finalize();
});

app.post("/#", (req, res) => {
  const { username, password } = req.body;

  const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;

  db.get(query, (err, row) => {
    if (err) {
      return res.status(500).send("Database error");
    }

    if (row) {
      res.send(`Welcome, ${row.username}!`);
    } else {
      res.status(401).send("Invalid credentials");
    }
  });
});

/*
sent this in body 
{
    "username": "admin",
    "password": " ' OR '1'='1"
}
*/

app.listen(3000, () => {
  console.log("Server running on port 3000");
});

/*
To fix this issue add bindings
const query = `SELECT * FROM users WHERE id = ?`;
db.all(query, [userId], (err, rows) => {
    ...
});

*/