From bb8d6c43357847dca4891ad50f5d14fe16db41a0 Mon Sep 17 00:00:00 2001
From: Skylar Grant <official.xian@gmail.com>
Date: Wed, 1 Jun 2022 13:09:16 -0400
Subject: [PATCH] Sanitize inputs

---
 .DS_Store    | Bin 0 -> 6148 bytes
 .gitignore   |   3 +++
 functions.js |  12 ++++++------
 3 files changed, 9 insertions(+), 6 deletions(-)
 create mode 100644 .DS_Store

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..5008ddfcf53c02e82d7eee2e57c38e5672ef89f6
GIT binary patch
literal 6148
zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3
zem<@ulZcFPQ@L2!n>{z**<q8>++&mCkOWA81W14cNZ<zv;LbK1Poaz?KmsK2CSc!(
z0ynLxE!0092;Krf2c+FF_Fe*7ECH>lEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ
zLs35+`xjp>T0<F0fCPF1$Cyrb|F7^5{eNG?83~ZUUlGt@xh*qZDeu<Z%US-OSsOPv
j)R!Z4KLME7ReXlK;d!wEw5GODWMKRea10D2@KpjYNUI8I

literal 0
HcmV?d00001

diff --git a/.gitignore b/.gitignore
index cba1984..a7b0538 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
 package-lock.json
 .VSCodeCounter/
 
+
 # Custom folders
 # gifs/*
 # pastas/*
@@ -80,6 +81,8 @@ typings/
 # dotenv environment variables file
 .env
 .env.test
+.env.dev
+.env.prod
 
 # parcel-bundler cache (https://parceljs.org/)
 .cache
diff --git a/functions.js b/functions.js
index 7566a0b..0b89e2e 100644
--- a/functions.js
+++ b/functions.js
@@ -336,28 +336,28 @@ const functions = {
 	},
 	upload: {
 		request(commandData, client) {
-			const query = `INSERT INTO requests (author, request, status) VALUES ('${commandData.author}','${commandData.args}','Active')`;
+			const query = `INSERT INTO requests (author, request, status) VALUES ('${db.escape(commandData.author)}','${db.escape(commandData.args)}','Active')`;
 			db.query(query, (err, rows, fields) => {
 				if (err) throw err;
 				functions.download.requests(client);
 			});
 		},
 		pasta(pastaData, client) {
-			const query = `INSERT INTO pastas (name, content) VALUES ('${pastaData.name}','${pastaData.content}')`;
+			const query = `INSERT INTO pastas (name, content) VALUES ('${db.escape(pastaData.name)}','${db.escape(pastaData.content)}')`;
 			db.query(query, (err, rows, fields) => {
 				if (err) throw err;
 				functions.download.pastas(client);
 			});
 		},
 		joint(content, client) {
-			const query = `INSERT INTO joints (content) VALUES ('${content}')`;
+			const query = `INSERT INTO joints (content) VALUES ('${db.escape(content)}')`;
 			db.query(query, (err, rows, fields) => {
 				if (err) throw err;
 				functions.download.joints(client);
 			});
 		},
 		gif(gifData, client) {
-			const query = `INSERT INTO gifs (name, embed_url) VALUES ('${gifData.name}', '${gifData.embed_url}')`;
+			const query = `INSERT INTO gifs (name, embed_url) VALUES ('${db.escape(gifData.name)}', '${db.escape(gifData.embed_url)}')`;
 			db.query(query, (err, rows, fields) => {
 				if (err) throw err;
 				functions.download.gifs(client);
@@ -395,7 +395,7 @@ const functions = {
 		},
 		strain(commandData, message) {
 			const { strainName } = commandData;
-			const query = `SELECT id, name, type, effects, ailment, flavor FROM strains WHERE name = '${strainName}'`;
+			const query = `SELECT id, name, type, effects, ailment, flavor FROM strains WHERE name = '${db.escape(strainName)}'`;
 			db.query(query, (err, rows, fields) => {
 				if (rows != undefined) {
 					commandData.strainInfo = {
@@ -436,7 +436,7 @@ const functions = {
 	},
 	// Parent-Level functions (miscellaneuous)
 	closeRequest(requestId, client) {
-		const query = `UPDATE requests SET status = 'Closed' WHERE id = ${requestId}`;
+		const query = `UPDATE requests SET status = 'Closed' WHERE id = ${db.escape(requestId)}`;
 		db.query(query, (err, rows, fields) => {
 			if (err) throw err;
 			functions.download.requests(client);