Switch string concatenation to placeholders.

AnnAddicks · web-flow · commit 7f6b34314ddc · 2017-08-09T13:23:36.000-04:00
The current method is open to SQL injection attacks, see: TryGhost/node-sqlite3#57
diff --git a/app/db/user.js b/app/db/user.js
@@ -8,7 +8,7 @@ var UserManager = {
     });
   },
   createUser: function(user){
-    var stmt = db.prepare("INSERT INTO users(name, email) VALUES ('"+user.name+"','"+user.email+"')");
+    var stmt = db.prepare("INSERT INTO users(name, email) VALUES (?, ?)", [user.name, user.email]);
     stmt.run();
     stmt.finalize();
   }

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ var UserManager = {`
`8`	`8`	`});`
`9`	`9`	`},`
`10`	`10`	`createUser: function(user){`
`11`		`- var stmt = db.prepare("INSERT INTO users(name, email) VALUES ('"+user.name+"','"+user.email+"')");`
	`11`	`+ var stmt = db.prepare("INSERT INTO users(name, email) VALUES (?, ?)", [user.name, user.email]);`
`12`	`12`	`stmt.run();`
`13`	`13`	`stmt.finalize();`
`14`	`14`	`}`