From 8820729be41dc98724137271d98c3d662e432a17 Mon Sep 17 00:00:00 2001
From: April Hall <ari@arithefirst.com>
Date: Thu, 6 Feb 2025 17:20:22 -0500
Subject: [PATCH] fix: Avoid CQL Injection in messages

---
 src/lib/server/db/index.ts | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/lib/server/db/index.ts b/src/lib/server/db/index.ts
index 300d4b2..e0851e4 100644
--- a/src/lib/server/db/index.ts
+++ b/src/lib/server/db/index.ts
@@ -33,8 +33,13 @@ class Db {
   async sendMessage(channelName: string, content: string, sender: string, id: string) {
     try {
       const now = new Date();
-      await this.client.execute(`INSERT INTO channels.${channelName} (id, message_content, channel_name, timestamp, sender)
-                   VALUES (${id}, '${content}', '${channelName}', ${now.getTime()}, ${sender})`);
+      await this.client.execute(`INSERT INTO channels.${channelName} (id, message_content, channel_name, timestamp, sender) VALUES (?, ?, ?, ?, ?)`, {
+        id,
+        message_content: content,
+        channel_name: channelName,
+        timestamp: now.getTime(),
+        sender,
+      });
     } catch (e) {
       console.log(`Error storing messages: ${e as Error}`);
     }
@@ -54,9 +59,9 @@ class Db {
   // Get messages method
   async getMessages(channelName: string, limit: number): Promise<Messages> {
     try {
-      const res = await this.client.execute(
-        `SELECT * FROM channels.${channelName} WHERE channel_name = '${channelName}' ORDER BY timestamp DESC LIMIT ${limit}`,
-      );
+      const res = await this.client.execute(`SELECT * FROM channels.${channelName} WHERE channel_name = ? ORDER BY timestamp DESC LIMIT ${limit}`, {
+        channel_name: channelName,
+      });
       return {
         messages: res.rows,
         error: null,