Fix db query injections

commands/role/index.js

@@ -66,6 +66,7 @@ class Roles extends BaseCommand {
 	 * @param {CommandInteraction} int
 	 */
 	async slash (int) {
+		console.time('1')
 		const member = int.member;
 		const permission = this.permission(member);
 
@@ -79,7 +80,8 @@ class Roles extends BaseCommand {
 		if (members) {
 			members = members.replace(/[^-_\w]/g, ' ').match(/[0-9]+/g);
 		}
-
+		console.timeEnd('1')
+		console.time('2')
 		if (!role) {
 			if (permission && create) {
 				role = (await this.create(
@@ -99,8 +101,8 @@ class Roles extends BaseCommand {
 				});
 			}
 		}
-
-
+		console.timeEnd('2')
+		console.time('3')
 		if (!members || !permission) {
 			toggleRole(role, member, int.member).then(result => {
 				int.reply({
@@ -115,10 +117,10 @@ class Roles extends BaseCommand {
 			});
 		} else {
 			if (!int.replied) {
-				await int.reply({
+				int.reply({
 					content: 'Запускаю выдачу ролей',
 					allowedMentions: constants.AM_NONE
-				});
+				}).catch(e => {console.log(e)});
 			}
 
 			members.forEach(user => {
@@ -136,6 +138,7 @@ class Roles extends BaseCommand {
 				});
 			});
 		}
+		console.timeEnd('3')
 	}
 
 	/**

commands/voice/index.js

@@ -100,7 +100,7 @@ class Voice extends BaseCommand {
 	async slash (int) {
 		if (int.options.getSubcommand() === 'auto-sync') {
 			await int.deferReply({ ephemeral: true });
-			DB.query(`UPDATE users SET mode = "${int.options.getString('mode')}" WHERE id = ${int.user.id};`)[0];
+			DB.query(`UPDATE users SET mode = ? WHERE id = ?;`, [int.options.getString('mode'), int.user.id])[0];
 			await int.editReply({
 				content: reaction.emoji.success + ' ' + int.str('Settings changed'),
 				ephemeral: true
@@ -193,7 +193,7 @@ class Voice extends BaseCommand {
 	async create (data) {
 		let preset;
 		try {
-			preset = DB.query(`SELECT * FROM users WHERE id = '${data.member.id}';`)[0];
+			preset = DB.query(`SELECT * FROM users WHERE id = ?;`, [data.member.id])[0];
 		} catch (e) {
 			console.log('DB error occurred:\n' + e);
 		}
@@ -286,10 +286,10 @@ class Voice extends BaseCommand {
 			userLimit: voice.channel.userLimit
 		});
 		if (DB.query(
-			`SELECT * FROM users WHERE id = ${voice.member.user.id};`)[0]) {
+			`SELECT * FROM users WHERE id = ?;`, [voice.member.user.id])[0]) {
 			DB.query(
-				`UPDATE users SET voice_data = ? WHERE id = ${voice.member.user.id};`,
-				[voice_data]
+				`UPDATE users SET voice_data = ? WHERE id = ?;`,
+				[voice_data, voice.member.user.id]
 			)[0];
 		} else {
 			DB.query(
@@ -305,7 +305,7 @@ class Voice extends BaseCommand {
 	 */
 	async sync (voice) {
 		let voiceConfiguration = JSON.parse((
-			DB.query(`SELECT * FROM users WHERE id = ${voice.member.user.id};`)[0]
+			DB.query(`SELECT * FROM users WHERE id = ?;`, [voice.member.user.id])[0]
 		).voice_data);
 		if (!voiceConfiguration) return 'There is no data entry in the database associated with you. Use `/upload` to fix it.';
 

commands/warn/Warn.js

@@ -274,9 +274,9 @@ class Warn {
 	 */
 	static last (target) {
 		const query = target
-			? `SELECT * FROM warns WHERE id = (SELECT MAX(id) FROM warns WHERE target = ${target})`
+			? `SELECT * FROM warns WHERE id = (SELECT MAX(id) FROM warns WHERE target = ?)`
 			: `SELECT * FROM warns WHERE id = (SELECT MAX(id) FROM warns)`;
-		const data = DB.query(query);
+		const data = DB.query(query, target ? [target] : undefined);
 		if (!data[0]) return undefined;
 
 		return new this(data[0]);
@@ -290,9 +290,9 @@ class Warn {
 	 */
 	static all (target) {
 		const query = target
-			? `SELECT * FROM warns WHERE NOT flags & 4 AND target = ${target}`
+			? `SELECT * FROM warns WHERE NOT flags & 4 AND target = ?`
 			: `SELECT * FROM warns WHERE NOT flags & 4`;
-		const data = DB.query(query);
+		const data = DB.query(query, target ? [target] : undefined);
 
 		let warns = [];
 		for (let i = data.length; i >= 0; i--) {

commands/warn/WarnPagination.js

@@ -56,12 +56,12 @@ class WarnPagination {
 		const skip = this.pageCount * (this.pageNumber - 1);
 
 		const query = target
-			? `FROM warns WHERE target = ${this.target.id} AND NOT flags & 4`
+			? `FROM warns WHERE target = ? AND NOT flags & 4`
 			: `FROM warns WHERE NOT flags & 4`;
-		this.count = DB.query('SELECT COUNT(*) AS count ' + query)[0].count;
+		this.count = DB.query('SELECT COUNT(*) AS count ' + query, target ? [this.target.id] : undefined)[0].count;
 		const data = DB.query(
 			'SELECT * ' + query + ' ORDER BY id DESC LIMIT ?, ?',
-			[skip, this.pageCount]
+			target ? [this.target.id, skip, this.pageCount] : [skip, this.pageCount]
 		);
 
 		for (const row of data) {