Order Filter Builder

Easy+50 XPA03:2021 InjectionCWE-89

SQL InjectionFilter

Scenario

An order management API lets users filter their orders by status. The handler accepts a userId and a status string and builds a SQL query by concatenating both values inline.

An attacker can inject into either parameter: a crafted status of shipped' OR '1'='1 bypasses the user_id filter and returns all users' orders; a malicious userId can delete the entire table.

Using two unparameterized columns doubles the attack surface compared to a single-parameter injection.

Multi-column injections are more dangerous than single-column ones because they offer more injection points. A compromised status filter can silently expose every order in the system.

Your Tasks

Fix buildOrderFilter so both userId and status are passed as parameters.
Return { sql: "SELECT * FROM orders WHERE user_id=$1 AND status=$2", params: [userId, status] }.
Neither value should appear literally in the SQL string.

Examples

Example 1 — Status injection blocked

buildOrderFilter('123', "shipped' OR '1'='1")
// FIX → { sql: '...WHERE user_id=$1 AND status=$2', params: ['123', "shipped' OR '1'='1"] }

Example 2 — Normal filter

buildOrderFilter('u42', 'shipped')
// → { sql: '...WHERE user_id=$1 AND status=$2', params: ['u42', 'shipped'] }

Constraints

›Only edit the function body — do not change the function signature.
›The returned sql must use $1 and $2 placeholders.
›The returned params array must be [userId, status] in that order.
›No external packages.

Hint

References

CWE-89: Improper Neutralization of Special Elements used in an SQL Command OWASP SQL Injection Prevention Cheat Sheet OWASP Top 10 2021 — A03:2021 Injection

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run