LOW: LIVE constant interpolated into SQL queries in payments.js #81

Closed
opened 2026-05-31 12:03:59 -05:00 by null · 0 comments
Owner

Bug Description

routes/payments.js:9 defines const LIVE = deleted_at IS NULL and interpolates it into multiple SQL queries via template literals (e.g., ...p.${LIVE}...). While the value is hardcoded and not user-controlled, this pattern makes future modifications riskier. A parameterized approach would be safer by construction.

Affected Files

  • routes/payments.js:9, 86, 107, 363, 420, 440

Replace with a parameterized approach or at minimum add a comment explaining the constant is intentionally hardcoded.

## Bug Description routes/payments.js:9 defines const LIVE = deleted_at IS NULL and interpolates it into multiple SQL queries via template literals (e.g., ...p.${LIVE}...). While the value is hardcoded and not user-controlled, this pattern makes future modifications riskier. A parameterized approach would be safer by construction. ## Affected Files - routes/payments.js:9, 86, 107, 363, 420, 440 ## Recommended Fix Replace with a parameterized approach or at minimum add a comment explaining the constant is intentionally hardcoded.
null added the
backend
bug
priority:low
labels 2026-05-31 12:03:59 -05:00
null closed this issue 2026-06-03 22:28:28 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/BillTracker#81
No description provided.