From 749b5b7628152c1929a29a33d3f31a379f6a3aba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Fabianski?= <cfabianski@me.com>
Date: Wed, 2 Aug 2023 12:01:40 +0200
Subject: [PATCH] chore: introduce sql injection

---
 .../codefixes/dbSchemaChallenge_2_correct.ts  | 36 +++++++++++--------
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/data/static/codefixes/dbSchemaChallenge_2_correct.ts b/data/static/codefixes/dbSchemaChallenge_2_correct.ts
index 4b7215dc98c..17812d087bf 100644
--- a/data/static/codefixes/dbSchemaChallenge_2_correct.ts
+++ b/data/static/codefixes/dbSchemaChallenge_2_correct.ts
@@ -1,19 +1,25 @@
-module.exports = function searchProducts () {
+module.exports = function searchProducts() {
   return (req: Request, res: Response, next: NextFunction) => {
-    let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
-    criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
-    models.sequelize.query(
-        `SELECT * FROM Products WHERE ((name LIKE '%:criteria%' OR description LIKE '%:criteria%') AND deletedAt IS NULL) ORDER BY name`,
-        { replacements: { criteria } }
-      ).then(([products]: any) => {
-        const dataString = JSON.stringify(products)
+    let criteria: any = req.query.q === "undefined" ? "" : req.query.q ?? "";
+    criteria = criteria.length <= 200 ? criteria : criteria.substring(0, 200);
+    models.sequelize
+      .query(
+        "SELECT * FROM Products WHERE ((name LIKE '%:" +
+          criteria +
+          "%' OR description LIKE '%:" +
+          criteria +
+          "%') AND deletedAt IS NULL) ORDER BY name"
+      )
+      .then(([products]: any) => {
+        const dataString = JSON.stringify(products);
         for (let i = 0; i < products.length; i++) {
-          products[i].name = req.__(products[i].name)
-          products[i].description = req.__(products[i].description)
+          products[i].name = req.__(products[i].name);
+          products[i].description = req.__(products[i].description);
         }
-        res.json(utils.queryResultToJson(products))
-      }).catch((error: ErrorWithParent) => {
-        next(error.parent)
+        res.json(utils.queryResultToJson(products));
       })
-  }
-}
\ No newline at end of file
+      .catch((error: ErrorWithParent) => {
+        next(error.parent);
+      });
+  };
+};