Course

In this lab, we review a JavaScript snippet from an Express application. The code initializes an API endpoint to filter users based on query parameters. Although the code uses parameterized queries, it constructs the SQL query by concatenating parameter names, which makes it susceptible to SQL injection attacks. Furthermore, the code returns all user data, including sensitive information like passwords, which leads to significant information leakage.

To mitigate these issues, ensure that query parameters are part of a predefined list of allowed parameters. Additionally, sensitive information should be removed from the database response before converting it to JSON. These steps will help secure the application and protect user data.