how secure is passing query in url

Question

i'm selling a few courses online, so for the payment cart i implemented a method that gets the course data from firestore through the query in the url e.g: localhost:5000/?product=course1.

so, i want to know how secure is it, in terms of injection or other vulnerabilities

i implemented simple validation. but nothing major.

this is the products post request:

router.post("/courses", (req, res) => {
  const product = req.body.product;

  res.redirect("/payment?product=" + product);
});

this is the payment page:

router.get("/payment", async (req, res) => {
  console.log(req.query.product);

  const snapshot = await db.collection("products").get();
  const products = await snapshot.docs.map(doc => {
    return {
      name: doc.id,
      price: doc.data().price
    };
  });
  thisProduct = products.find(product => {
    return req.query.product === product.name;
  });
  console.log(thisProduct);
  if (typeof thisProduct == "undefined") {
    return res.send("product not found");
  }

  res.render("payment", {
    key: "pk_test_fVJwSNZpMoCwrF7Zs48PsLR100zpmBhXrc",
    user: true,
    title: "Pay for a course",
    product: {
      name: thisProduct.name,
      price: thisProduct.price
    }
  });
});

please let me know if there is any vulnerabilty and how to fix them. comment if you don't find any vulnerabilty. thank you!

Answer 1

I don't see any vulnerabilities in the code you showed. Generally, to avoid any kind of injection you should validate all your inputs properly. I.e. if you expect a product to be a number you should check that it is a number. Also, a general practice to avoid SQL injections is to not use string interpolation (and you don't 👍) for SQL queries but instead use prepared statements or/and ORM.

So, sending params in URL query is as safe as sending any other kind of params while you're taking all precautions.