// This file contains intentional violations for testing import { Router } from 'express'; import { db } from '../db'; const router = Router(); // VIOLATION 1: SQL injection vulnerability router.get('/users/search', async (req, res) => { const { email } = req.query; // VIOLATION 2: String interpolation in SQL query const query = `SELECT id, email, password_hash FROM users WHERE email LIKE '%${email}%'`; const result = await db.query(query); // VIOLATION 3: Returning password field res.json(result.rows); }); // VIOLATION 4: Hardcoded API key const API_KEY = "sk_live_1234567890abcdef"; export default router;