Substitute parameters in SQL query on the database side

This should be used as protection against SQL injections instead of manual ones
https://github.com/superhero-com/tokaen-api/blob/77c9ccb282282867273d5d237477b5afdd5c07db/src/tokens/tokens.controller.ts#L86-L98

For example, 
https://github.com/superhero-com/tokaen-api/blob/77c9ccb282282867273d5d237477b5afdd5c07db/src/tokens/tokens.service.ts#L505-L529
replace with
```js
    const rankedQuery = `
      WITH all_ranked_tokens AS (
        SELECT 
          *,
          CAST(RANK() OVER (
            ORDER BY 
              CASE WHEN market_cap = 0 THEN 1 ELSE 0 END,
              market_cap DESC,
              created_at ASC
          ) AS INTEGER) as rank
        FROM token
        WHERE unlisted = false
      ),
      filtered_tokens AS (
        ${finalSubQuery}
      )
      SELECT all_ranked_tokens.*
      FROM all_ranked_tokens
      INNER JOIN filtered_tokens ON all_ranked_tokens.sale_address = filtered_tokens.sale_address
      ORDER BY $1 ${orderDirection}
      LIMIT ${limit}
      OFFSET ${(page - 1) * limit}
    `;

    const result = await this.tokensRepository.query(rankedQuery, [
      'all_ranked_tokens.' + orderBy,
    ]);
```

[Typeorm docs](https://typeorm.io/docs/working-with-entity-manager/repository-api/), see "query - Executes a raw SQL query" examples

found while checking https://github.com/superhero-com/tokaen-api/pull/91/

	// allowed sort fields to avoid SQL Injection
	const allowedSortFields = [
	'market_cap',
	'rank',
	'name',
	'price',
	'created_at',
	'trending_score',
	];
	if (!allowedSortFields.includes(orderBy)) {
	orderBy = 'market_cap';
	}
	const allowedOrderDirections = ['ASC', 'DESC'];

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Substitute parameters in SQL query on the database side #93

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	const rankedQuery = `
	WITH all_ranked_tokens AS (
	SELECT
	*,
	CAST(RANK() OVER (
	ORDER BY
	CASE WHEN market_cap = 0 THEN 1 ELSE 0 END,
	market_cap DESC,
	created_at ASC
	) AS INTEGER) as rank
	FROM token
	WHERE unlisted = false
	),
	filtered_tokens AS (
	${finalSubQuery}
	)
	SELECT all_ranked_tokens.*
	FROM all_ranked_tokens
	INNER JOIN filtered_tokens ON all_ranked_tokens.sale_address = filtered_tokens.sale_address
	ORDER BY all_ranked_tokens.${orderBy} ${orderDirection}
	LIMIT ${limit}
	OFFSET ${(page - 1) * limit}
	`;

	const result = await this.tokensRepository.query(rankedQuery);

Substitute parameters in SQL query on the database side #93

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions