Add Input Sanitization for SQL Injection Prevention (#93)

[David-patrick-chuks]

Overview

This PR introduces a robust, global SQL injection prevention mechanism. A new middleware layer intercepts all incoming requests to actively detect and block malicious payloads (like UNION SELECT, DROP TABLE, etc.) before they reach our controllers, ensuring maximum database security.

Related Issue

Closes #93

Changes

� Security Middleware

• [NEW] backend/middleware/validation.js:
  • Implemented a rigorous detectSqlInjection middleware.
  • Recursively scans req.query, req.body, and req.params (even in deeply nested objects) for destructive SQL patterns.
  • Returns an immediate 403 Forbidden: Suspicious input detected response when an attack is spotted, completely neutralizing it at the routing level.

� Global Integration

• [MODIFY] backend/app.js:
  • Hooked detectSqlInjection globally into the Express app directly after the body parsers and right before standard sanitization. This provides a universal security umbrella across all API endpoints seamlessly.

📊 Model Audits

• [AUDIT] backend/models/*.js:
  • Conducted a thorough audit of the database layer (knex). Confirmed the framework natively handles parameterized bindings correctly across insert, update, and standard where clauses, minimizing internal vulnerability surface.

🧪 Automated Guards

• [NEW] backend/tests/sql_injection.test.js:
  • Built an integration test suite validating that the new middleware faithfully detects and aborts various SQL injection vectors targeting parameters, request bodies, and deep objects, without blocking legitimate requests.

Verification Results

Scenario	Status
Middleware blocks UNION SELECT in queries	✅ Passed
Middleware blocks stacked queries (;--) in queries	✅ Passed
Middleware blocks DROP TABLE in request body	✅ Passed
Middleware blocks deep/nested object injections	✅ Passed
Normal/healthy requests pass unaltered	✅ Passed

How to Test

1. Start the backend: npm run dev
2. Send a regular, valid request (e.g., GET /health or POST /api/auth/login). Ensure it succeeds smoothly.
3. Attempt an injection via the query string:
   • GET /health?filter=1; DROP TABLE users;--
   • Observe the strict 403 Forbidden response.
4. Attempt an injection via a JSON body:
   • Send a POST request containing { "password": "password' OR 1=1--" }
   • Observe the strict 403 Forbidden response.

Screenshots & Evidence

1. Malicious Request Blocked (Postman/cURL)

A screenshot showing a 403 Forbidden response when an SQL injection payload is deliberately passed to an API endpoint.

2. Automated Test Suite Success

A screenshot displaying the passing Jest security test suite containing the 7 rigid SQL injection checks.

[vercel]

@David-patrick-chuks is attempting to deploy a commit to the llinsomoudu-gmailcom's projects Team on Vercel.

A member of the Team first needs to authorize it.

[netlify]

👷 Deploy request for taggedpay pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	6ed3d59

[llinsss]

remove package-lock.json

[David-patrick-chuks]

remove package-lock.json

@llinsss Done! I've removed

package-lock.json