Currently moving a web application over to using Knex to help with issues to do with SQL injection.
Knex has helped us to stop the issue of running different and new queries however we have a point of concern. Currently we have 4 endpoints which look like so:
router.all('/deleteTable', checkAuth, (req, res) => {
if (checkTableWhitelist(req.body.table) === true) {
knexMarsDb(req.body.table)
.where(req.body.where)
.del()
.then((result) => {
console.log(result);
res.json({ success: true, message: 'deleted' });
})
.catch((error) => {
res.json({ success: false, message: 'failure' });
console.log(error);
});
} else {
res.send(401, 'You are not authorised for this request');
console.log('Table not in whitelist');
}
});
What I understand is that it can be a threat to have this as it means people can delete whatever and how many rows and etc they want to.
Is there a way to make this safer (we have lots of queries running) or is it smarter to just move everything to a hard coded individual endpoint basis?
Thank you