From 249c93dad9a1fca697bba7d9e41b9edb8701d339 Mon Sep 17 00:00:00 2001
From: William Reyor <87031733+BillReyor@users.noreply.github.com>
Date: Sat, 21 Sep 2024 14:26:21 -0400
Subject: [PATCH] Fix code scanning alert #3: Database query built from
 user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 part2/VulnerableAppTwo/src/VulnerableAppTwo.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/part2/VulnerableAppTwo/src/VulnerableAppTwo.js b/part2/VulnerableAppTwo/src/VulnerableAppTwo.js
index ef52d4f..514aba4 100644
--- a/part2/VulnerableAppTwo/src/VulnerableAppTwo.js
+++ b/part2/VulnerableAppTwo/src/VulnerableAppTwo.js
@@ -29,8 +29,8 @@ app.post('/api/submit', (req, res) => {
 // Route: SQL (NoSQL) Injection
 app.post('/api/login', async (req, res) => {
   const { username, password } = req.body;
-  // Unsafe query
-  const user = await User.findOne({ username: username, password: password });
+  // Safe query using $eq operator
+  const user = await User.findOne({ username: { $eq: username }, password: { $eq: password } });
   if (user) {
     res.send('Login successful');
   } else {