Mirrors/stash
1
0
Fork 0
mirror of https://github.com/stashapp/stash.git synced 2025-12-17 04:14:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

Use parameter binding for all queries (#387)

Browse Source
This commit is contained in:
InfiniteTF
2020-03-02 23:18:14 +01:00
committed by GitHub
parent 97ab40595e
commit 80a8d2de97
6 changed files with 15 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/models/querybuilder_sql.go
View File

@@ -137,29 +137,6 @@ func getRandomSort(tableName string, direction string, seed float64) string {
return " ORDER BY " + "(substr(" + colName + " * " + randomSortString + ", length(" + colName + ") + 2))" + " " + direction
}
func getSearch(columns []string, q string) string {
// TODO - susceptible to SQL injection
var likeClauses []string
queryWords := strings.Split(q, " ")
trimmedQuery := strings.Trim(q, "\"")
if trimmedQuery == q {
// Search for any word
for _, word := range queryWords {
for _, column := range columns {
likeClauses = append(likeClauses, column+" LIKE '%"+word+"%'")
}
}
} else {
// Search the exact query
for _, column := range columns {
likeClauses = append(likeClauses, column+" LIKE '%"+trimmedQuery+"%'")
}
}
likes := strings.Join(likeClauses, " OR ")
return "(" + likes + ")"
}
func getSearchBinding(columns []string, q string, not bool) (string, []interface{}) {
var likeClauses []string
var args []interface{}