From 075876ad125db72b50695fa73136b05c466992b3 Mon Sep 17 00:00:00 2001
From: "aikido-autofix[bot]"
 <119856028+aikido-autofix[bot]@users.noreply.github.com>
Date: Mon, 12 May 2025 10:46:42 +0000
Subject: [PATCH] fix(security): autofix Potential SQL injection via
 string-based query concatenation - KAN-481

---
 SQL Injection/mysql.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/SQL Injection/mysql.js b/SQL Injection/mysql.js
index 89029c3e..6c2d5d6a 100644
--- a/SQL Injection/mysql.js	
+++ b/SQL Injection/mysql.js	
@@ -16,7 +16,8 @@ connection.connect();
 router.get('/example1/user/:id', (req,res) => {
     let userId = req.params.id;
     let query = {
-        sql : "SELECT * FROM users WHERE id=" + userId
+        sql : "SELECT * FROM users WHERE id=?",
+        values: [userId]
     }
     connection.query(query,(err, result) => {
         res.json(result);
@@ -25,7 +26,7 @@ router.get('/example1/user/:id', (req,res) => {
 
 router.get('/example2/user/:id',  (req,res) => {
     let userId = req.params.id;
-    connection.query("SELECT * FROM users WHERE id=" + userId,(err, result) => {
+    connection.query("SELECT * FROM users WHERE id=?", [userId],(err, result) => {
         res.json(result);
     });
 })
@@ -33,7 +34,8 @@ router.get('/example2/user/:id',  (req,res) => {
 router.get('/example3/user/:id',  (req,res) => {
     let userId = req.params.id;
     connection.query({
-        sql : "SELECT * FROM users WHERE id=" +userId
+        sql : "SELECT * FROM users WHERE id=?",
+        values: [userId]
     },(err, result) => {
         res.json(result);
     });