prevent sql injection

server/src/ems/ems.service.ts

@@ -17,24 +17,34 @@ export class EmsService {
     }
 
     async getImages(city_id?: number, offset?: number, limit?: number): Promise<any[]> {
-        const result = await this.dataSource.query(`
+        if (city_id) {
+            const result = await this.dataSource.query(`
             SELECT * FROM "images"
-            ${city_id ? `WHERE city_id = ${city_id}` : ''}
+            WHERE city_id = @0
             ORDER BY city_id
-            OFFSET ${offset || 0} ROWS
-            FETCH NEXT ${limit || 10} ROWS ONLY;
-            `)
-        return result
+            OFFSET @1 ROWS
+            FETCH NEXT @2 ROWS ONLY;
+            `, [city_id, offset || 0, limit || 10])
+            return result
+        } else {
+            const result = await this.dataSource.query(`
+            SELECT * FROM "images"
+            ORDER BY city_id
+            OFFSET @0 ROWS
+            FETCH NEXT @1 ROWS ONLY;
+            `, [offset || 0, limit || 10])
+            return result
+        }
     }
 
     async getFigures(year: number, city_id: number, offset?: number, limit?: number): Promise<any[]> {
         const result = await this.dataSource.query(`
             SELECT * FROM figures f
-            JOIN vObjects o ON f.object_id = o.object_id WHERE o.id_city = ${city_id} AND f.year = ${year}
+            JOIN vObjects o ON f.object_id = o.object_id WHERE o.id_city = @0 AND f.year = @1
             ORDER BY f.year
-            OFFSET ${Number(offset) || 0} ROWS
-            FETCH NEXT ${Number(limit) || 10} ROWS ONLY;
-            `)
+            OFFSET @2 ROWS
+            FETCH NEXT @3 ROWS ONLY;
+            `, [city_id, year, Number(offset) || 0, Number(limit) || 10])
         return result
     }
 }