Fix SQL injection vulnerabilities in authentication and product queries

[Copilot]

This PR fixes critical SQL injection vulnerabilities in the vulnerable-node application by replacing string concatenation in SQL queries with parameterized queries.

Vulnerabilities Fixed

The following functions were vulnerable to SQL injection attacks due to direct string concatenation of user input into SQL queries:

Authentication Module (model/auth.js)

• do_auth(): User credentials were directly concatenated into the WHERE clause

Before:

var q = "SELECT * FROM users WHERE name = '" + username + "' AND password ='" + password + "';";
return db.one(q);

After:

var q = "SELECT * FROM users WHERE name = $1 AND password = $2;";
return db.one(q, [username, password]);

Products Module (model/products.js)

• getProduct(): Product ID was directly concatenated into the WHERE clause
• search(): Search query was directly concatenated into ILIKE clauses
• purchase(): All cart properties were directly concatenated into INSERT VALUES
• get_purcharsed(): Username was directly concatenated into the WHERE clause

Before:

// Product lookup
var q = "SELECT * FROM products WHERE id = '" + product_id + "';";

// Search functionality  
var q = "SELECT * FROM products WHERE name ILIKE '%" + query + "%' OR description ILIKE '%" + query + "%';";

// Purchase insertion
var q = "INSERT INTO purchases(...) VALUES('" + cart.mail + "', '" + cart.product_name + "', ...)";

After:

// Product lookup
var q = "SELECT * FROM products WHERE id = $1;";
return db.one(q, [product_id]);

// Search functionality
var q = "SELECT * FROM products WHERE name ILIKE $1 OR description ILIKE $2;";  
return db.many(q, ['%' + query + '%', '%' + query + '%']);

// Purchase insertion
var q = "INSERT INTO purchases(...) VALUES($1, $2, $3, $4, $5, $6, $7, $8);";
return db.one(q, [cart.mail, cart.product_name, cart.username, cart.product_id, cart.address, cart.phone, cart.ship_date, cart.price]);

Security Impact

These changes prevent attackers from:

• Bypassing authentication by injecting SQL into login forms
• Extracting sensitive data through product search queries
• Manipulating purchase records through malicious cart data
• Accessing other users' purchase history

Testing

• ✅ Application starts successfully after changes
• ✅ All modified files pass syntax validation
• ✅ Existing functionality is preserved

The application now uses PostgreSQL's parameterized query feature through pg-promise, which automatically escapes and validates parameters to prevent SQL injection attacks.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.