@AgathaSorceress I love how with all the other horrors...

@AgathaSorceress I love how with all the other horrors on offer, this SQL injection vector just didn't even get a mention:

var i = yield n.executeSql("SELECT name, number FROM contacts WHERE name = '"+t+"';");

I mean, *maybe* `t` has been correctly sanitized previously, but nothing about this app suggests to me that's likely.

Sweet cuppin' cakes...

Like 12 May 2023 at 7:26 | Wall-to-wall | Open on hachyderm.io