From 8e865e28b876224f4b61d7630a620840cce5bd8d Mon Sep 17 00:00:00 2001
From: Austen Stone <austenstone@github.com>
Date: Thu, 3 Jul 2025 20:10:51 -0400
Subject: [PATCH 1/2] Potential fix for code scanning alert no. 24: Database
 query built from user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 model/products.js | 26 ++++++++------------------
 1 file changed, 8 insertions(+), 18 deletions(-)

diff --git a/model/products.js b/model/products.js
index 6df3f921..06c76022 100644
--- a/model/products.js
+++ b/model/products.js
@@ -11,41 +11,31 @@ function list_products() {
 
 function getProduct(product_id) {
 
-    var q = "SELECT * FROM products WHERE id = '" + product_id + "';";
+    var q = "SELECT * FROM products WHERE id = $1;";
 
-    return db.one(q);
+    return db.one(q, [product_id]);
 }
 
 function search(query) {
 
-    var q = "SELECT * FROM products WHERE name ILIKE '%" + query + "%' OR description ILIKE '%" + query + "%';";
+    var q = "SELECT * FROM products WHERE name ILIKE $1 OR description ILIKE $1;";
 
-    return db.many(q);
+    return db.many(q, ['%' + query + '%']);
 
 }
 
 function purchase(cart) {
 
-    var q = "INSERT INTO purchases(mail, product_name, user_name, product_id, address, phone, ship_date, price) VALUES('" +
-            cart.mail + "', '" +
-            cart.product_name + "', '" +
-            cart.username + "', '" +
-            cart.product_id + "', '" +
-            cart.address + "', '" +
-            cart.ship_date + "', '" +
-            cart.phone + "', '" +
-            cart.price +
-            "');";
-
-    return db.one(q);
+    var q = "INSERT INTO purchases(mail, product_name, user_name, product_id, address, phone, ship_date, price) VALUES($1, $2, $3, $4, $5, $6, $7, $8);";
 
+    return db.one(q, [cart.mail, cart.product_name, cart.username, cart.product_id, cart.address, cart.phone, cart.ship_date, cart.price]);
 }
 
 function get_purcharsed(username) {
 
-    var q = "SELECT * FROM purchases WHERE user_name = '" + username + "';";
+    var q = "SELECT * FROM purchases WHERE user_name = $1;";
 
-    return db.many(q);
+    return db.many(q, [username]);
 
 }
 

From e63c9e7c80ccf2ae2b5ac4252d24839ee31792f2 Mon Sep 17 00:00:00 2001
From: Austen Stone <austenstone@github.com>
Date: Thu, 3 Jul 2025 20:10:51 -0400
Subject: [PATCH 2/2] Potential fix for code scanning alert no. 23: Database
 query built from user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 model/auth.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/model/auth.js b/model/auth.js
index 1d4c2218..c30eeeff 100644
--- a/model/auth.js
+++ b/model/auth.js
@@ -4,9 +4,9 @@ var config = require("../config"),
 function do_auth(username, password) {
     var db = pgp(config.db.connectionString);
 
-    var q = "SELECT * FROM users WHERE name = '" + username + "' AND password ='" + password + "';";
+    var q = "SELECT * FROM users WHERE name = $1 AND password = $2;";
 
-    return db.one(q);
+    return db.one(q, [username, password]);
 }
 
 module.exports = do_auth;
\ No newline at end of file