prevent sql injection

2025-11-18 15:32:10 +09:00
parent d04b03ac29
commit 051411a3ee
3 changed files with 56 additions and 36 deletions
--- a/server/src/ems/ems.service.ts
+++ b/server/src/ems/ems.service.ts
@ -17,24 +17,34 @@ export class EmsService {
    }
    async getImages(city_id?: number, offset?: number, limit?: number): Promise<any[]> {
-        const result = await this.dataSource.query(`
+        if (city_id) {
            const result = await this.dataSource.query(`
            SELECT * FROM "images"
-            ${city_id ? `WHERE city_id = ${city_id}` : ''}
+            WHERE city_id = @0
            ORDER BY city_id
-            OFFSET ${offset || 0} ROWS
+            OFFSET @1 ROWS
-            FETCH NEXT ${limit || 10} ROWS ONLY;
+            FETCH NEXT @2 ROWS ONLY;
-            `)
+            `, [city_id, offset || 0, limit || 10])
-        return result
+            return result
        } else {
            const result = await this.dataSource.query(`
            SELECT * FROM "images"
            ORDER BY city_id
            OFFSET @0 ROWS
            FETCH NEXT @1 ROWS ONLY;
            `, [offset || 0, limit || 10])
            return result
        }
    }
    async getFigures(year: number, city_id: number, offset?: number, limit?: number): Promise<any[]> {
        const result = await this.dataSource.query(`
            SELECT * FROM figures f
-            JOIN vObjects o ON f.object_id = o.object_id WHERE o.id_city = ${city_id} AND f.year = ${year}
+            JOIN vObjects o ON f.object_id = o.object_id WHERE o.id_city = @0 AND f.year = @1
            ORDER BY f.year
-            OFFSET ${Number(offset) || 0} ROWS
+            OFFSET @2 ROWS
-            FETCH NEXT ${Number(limit) || 10} ROWS ONLY;
+            FETCH NEXT @3 ROWS ONLY;
-            `)
+            `, [city_id, year, Number(offset) || 0, Number(limit) || 10])
        return result
    }
 }
--- a/server/src/fuel/fuel.service.ts
+++ b/server/src/fuel/fuel.service.ts
@ -22,8 +22,8 @@ export class FuelService {
                COLUMN_NAME,
                DATA_TYPE
            FROM INFORMATION_SCHEMA.COLUMNS
-            WHERE TABLE_NAME = '${table_name}'
+            WHERE TABLE_NAME = @0
-            `)
+            `, [table_name])
        return result
    }
@ -37,8 +37,8 @@ export class FuelService {
    async getFuels(id_fuels: GetFuelsDTO['id_fuels']) {
        const result = await this.wsDataSource.query(`
            SELECT * FROM dFuelsParameters
-            WHERE id_fuels = ${id_fuels}
+            WHERE id_fuels = @0
-            `)
+            `, [Number(id_fuels)])
        return result
    }
--- a/server/src/general/general.service.ts
+++ b/server/src/general/general.service.ts
@ -37,23 +37,33 @@ export class GeneralService {
            SELECT c.*, d.name AS district_name
            FROM ${generalDatabase}..vCities c
            JOIN ${generalDatabase}..vDistricts d ON d.id_region = c.id_region AND d.id = c.id_district
-            WHERE c.id_region = ${region_id};
+            WHERE c.id_region = @0;
-            `)
+            `, [Number(region_id)])
        return result
    }
    async getCities(id_region: number, offset?: number, limit?: number, search?: string): Promise<any[]> {
        const generalDatabase = 'isWorldstone'
-        const result = await this.wsDataSource.query(`
+        if (search) {
            const result = await this.wsDataSource.query(`
            SELECT * FROM ${generalDatabase}..vCities
-            ${id_region ? `WHERE id_region = ${id_region}` : ''}
+            WHERE id_region = @0 AND name LIKE '%@1%'
            ${search ? `WHERE name LIKE '%${search || ''}%'` : ''}
            ORDER BY id 
-            OFFSET ${Number(offset) || 0} ROWS 
+            OFFSET @2 ROWS 
-            FETCH NEXT ${Number(limit) || 10} ROWS ONLY;
+            FETCH NEXT @3 ROWS ONLY;
-            `)
+            `, [id_region, search, Number(offset) || 0, Number(limit) || 10])
-        return result
+            return result
        } else {
            const result = await this.wsDataSource.query(`
            SELECT * FROM ${generalDatabase}..vCities
            WHERE id_region = @0
            ORDER BY id 
            OFFSET @1 ROWS 
            FETCH NEXT @2 ROWS ONLY;
            `, [id_region, Number(offset) || 0, Number(limit) || 10])
            return result
        }
    }
    async getTypes(): Promise<any[]> {
@ -120,12 +130,12 @@ export class GeneralService {
                    v.id_param = split_value 
                    AND v.id_object = o.object_id 
                    AND (v.date_po IS NULL)
-                AND (v.date_s < DATEFROMPARTS(${Number(year) + 1},01,01))
+                AND (v.date_s < DATEFROMPARTS(@0,01,01))
                WHERE
-                    o.id_city = ${city_id}
+                    o.id_city = @1
-                    AND o.year = ${year}
+                    AND o.year = @2
-                    AND o.type = ${type}
+                    AND o.type = @3
                    AND
                    (
                    CASE
@ -134,7 +144,7 @@ export class GeneralService {
                        WHEN o.planning = 'FALSE' THEN 0
                        ELSE NULL
                    END
-                    ) = ${planning}
+                    ) = @4
                GROUP BY object_id, type, id_city, year, planning;
                `:
            `
@ -151,7 +161,7 @@ export class GeneralService {
                    ${generalDatabase}..tTypes ON vo.type = ${generalDatabase}..tTypes.id
                LEFT JOIN ${gisDatabase}..TypeRoles tr ON tr.id = ${generalDatabase}..tTypes.id
                WHERE 
-                    vo.id_city = ${city_id} AND vo.year = ${year}
+                    vo.id_city = @1 AND vo.year = @2
                    AND
                    (
                    CASE 
@ -160,14 +170,14 @@ export class GeneralService {
                        WHEN vo.planning = 'FALSE' THEN 0
                        ELSE NULL
                    END
-                    ) = ${planning}
+                    ) = @4
                GROUP BY 
                    ${generalDatabase}..tTypes.id,
                    ${generalDatabase}..tTypes.name,
                    tr.r,
                    tr.g,
                    tr.b;
-                `
+                `, [Number(year) + 1, city_id, year, type, planning, ]
        )
        return result
    }
@ -264,8 +274,8 @@ export class GeneralService {
        const result = await this.dataSource.query(`
            SELECT * FROM ${generalDatabase}..TParameters
-            WHERE id = '${param_id}'
+            WHERE id = '@0'
-            `)
+            `, [Number(param_id)])
        return result
    }
@ -307,7 +317,7 @@ export class GeneralService {
                        o.year AS year
                    FROM ${generalDatabase}..tValues
                    JOIN ${generalDatabase}..tObjects o ON o.id = id_object
-                    WHERE CAST(value AS varchar(max)) LIKE '%${q}%'
+                    WHERE CAST(value AS varchar(max)) LIKE '%@0%'
                    )
                SELECT
                    id_object,
@ -316,8 +326,8 @@ export class GeneralService {
                    id_city,
                    year
                FROM RankedValues
-                WHERE rn = 1 AND id_city = ${id_city} AND year = ${year};
+                WHERE rn = 1 AND id_city = @1 AND year = @2;
-                `)
+                `, [q, id_city, year])
        return result
    }
 }