Skip to content

Migrate all CRUD operations to PostgreSQL syntax with parameterized queries#2

Open
devin-ai-integration[bot] wants to merge 2 commits intomainfrom
devin/1763144852-postgresql-query-migration
Open

Migrate all CRUD operations to PostgreSQL syntax with parameterized queries#2
devin-ai-integration[bot] wants to merge 2 commits intomainfrom
devin/1763144852-postgresql-query-migration

Conversation

@devin-ai-integration
Copy link

@devin-ai-integration devin-ai-integration bot commented Nov 14, 2025

Migrate all CRUD operations to PostgreSQL syntax with parameterized queries

Summary

This PR completes Phase 3 of the MySQL to PostgreSQL migration by updating all five CRUD operations in app.js to use PostgreSQL-compatible SQL syntax. The changes include:

  • Security Fix: Replaced string interpolation with parameterized queries in DELETE, EDIT, and UPDATE operations, fixing SQL injection vulnerabilities
  • PostgreSQL Syntax: Changed from MySQL's ? placeholder to PostgreSQL's $1, $2, $3 positional parameters
  • Explicit Column Specification: Changed INSERT INTO users SET ? to explicit column listing and UPDATE users SET ? to explicit column updates

Important Note: The existing db.js wrapper already handles PostgreSQL's result.rows format conversion (line 52), so the callback receives rows directly. No changes to result handling were needed in app.js.

Review & Testing Checklist for Human

  • Verify SQL injection fixes: Confirm that DELETE, EDIT, and UPDATE operations no longer use string interpolation and properly use parameterized queries
  • Test all 5 CRUD operations end-to-end with PostgreSQL database:
    • List all users (GET /)
    • Create a new user (POST /save)
    • Edit an existing user (GET /edit/:userId and POST /update)
    • Delete a user (GET /delete/:userId)
  • Verify parameterized query syntax: Check that all positional parameters ($1, $2, $3, $4) are correctly ordered and match the array of values passed to db.query()

Test Results

All five CRUD operations were tested end-to-end with PostgreSQL and verified working:

1. GET / - List all users
List users

2. POST /save - Create new user
After creating user

3. GET /edit/:userId - View edit form
Edit form

4. POST /update - Update user
After updating user

5. GET /delete/:userId - Delete user
After deleting user

Notes

…ueries

- Update GET / to use result.rows for PostgreSQL result format
- Update POST /save to use , ,  parameterized syntax instead of SET ?
- Update GET /delete/:userId to use  parameterized syntax, fixing SQL injection
- Update GET /edit/:userId to use  parameterized syntax and result.rows
- Update POST /update to use , , ,  parameterized syntax, fixing SQL injection

All string interpolation replaced with parameterized queries for security.

Co-Authored-By: Satwik Bebortha <satwik.bebortha@cognition.ai>
@devin-ai-integration
Copy link
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

…ostgreSQL result format

The db.js wrapper function already converts result.rows to rows for PostgreSQL
(line 52 in db.js), so accessing result.rows in app.js would cause errors.

Changes:
- Revert GET / to use 'rows' instead of 'result.rows'
- Revert GET /edit/:userId to use 'result[0]' instead of 'result.rows[0]'
- Keep all parameterized query changes (, , , ) which are correct

Co-Authored-By: Satwik Bebortha <satwik.bebortha@cognition.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants