From 2de64cdf40eef237115a253ac00dcd35c61f7458 Mon Sep 17 00:00:00 2001
From: matt <matt@fiddaman.net>
Date: Sun, 13 Feb 2022 21:58:30 +0000
Subject: [PATCH] Added database query parameter sanitisation to replace
 nullish values with null

---
 lib/DatabaseConnectionPool.js | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/lib/DatabaseConnectionPool.js b/lib/DatabaseConnectionPool.js
index ac628f7..4bb034b 100644
--- a/lib/DatabaseConnectionPool.js
+++ b/lib/DatabaseConnectionPool.js
@@ -38,7 +38,8 @@ class DatabaseConnectionPool {
 	 * Sanitise and validate an sql query
 	 *
 	 * @param {string} sql The query to be executed
-	 * @param {(Array<string|number>)} Values to replace prepared statement
+	 * @param {(Array<string|number|null|undefined>)} params
+	 * 	Values to replace prepared statement
 	 *
 	 * @return {string} Sanitised and validated sql query
 	 */
@@ -57,9 +58,29 @@ class DatabaseConnectionPool {
 		} else if (prepared && params.length !== expectedParams) {
 			throw new Error('Number of params does not equal ' +
 				'expected number');
+		} else if (prepared) {
+			params = DatabaseConnectionPool.sanitiseParams(params);
 		}
 
-		return sql;
+		return [ sql, params ];
+	}
+
+	/**
+	 * Sanitise the parameters for a prepared sql statement
+	 *
+	 * @param {(Array<string|number|null|undefined>)} params
+	 * 	Values to replace prepared statement
+	 *
+	 * @return {(Array<string|number|null|undefined)} Sanitised params
+	 */
+	static sanitiseParams(params) {
+		const newParams = [];
+
+		params.forEach(param => {
+			newParams.push(param ?? null);
+		});
+
+		return newParams;
 	}
 
 	/**
@@ -71,7 +92,8 @@ class DatabaseConnectionPool {
 	 * @return {(Array<object>|object)} Data returned from the database
 	 */
 	async runQuery(sql, params) {
-		sql = this.validateQuery(sql, params);
+		[ sql, params ] =
+			DatabaseConnectionPool.validateQuery(sql, params);
 		const prepared = sql.includes('?');
 
 		let data;