Remove a potentially SQL injection

db/sql.go

@@ -9,7 +9,6 @@ import (
 	"database/sql"
 	"fmt"
 	"os"
-	"strings"
 
 	_ "github.com/mattn/go-sqlite3"
 )
@@ -126,22 +125,20 @@ func (s *Store) GetQuote(person, channel string) (quote string) {
 }
 
 func (s *Store) GetQuoteAbout(person, argument, channel string) (quote string) {
-	// A double quote can't be present in argument because of the
-	// regex used but removing anyway
-	argument = strings.Replace(argument, "\"", "", -1)
+	argument = fmt.Sprintf("%%%s%%", argument)
 
-	query := "SELECT quote FROM quotes WHERE person_id = ? " +
-		"AND quote LIKE \"%%%s%%\" " +
-		"AND id NOT IN ( " +
-		"SELECT quote_id FROM quotes_acl " +
-		"EXCEPT " +
-		"SELECT quote_id FROM quotes_acl WHERE channel_id = ?) " +
-		"ORDER BY RANDOM() LIMIT 1;"
-	query = fmt.Sprintf(query, argument)
+	query := `SELECT quote FROM quotes WHERE person_id = ?
+		AND quote LIKE ?
+		AND id NOT IN (
+		SELECT quote_id FROM quotes_acl
+		EXCEPT
+		SELECT quote_id FROM quotes_acl WHERE channel_id = ?)
+		ORDER BY RANDOM() LIMIT 1`
 
 	s.db.QueryRow(
 		query,
 		s.getPerson(person),
+		argument,
 		s.getChannel(channel)).Scan(&quote)
 
 	return