Remove a potentially SQL injection
This commit is contained in:
parent
d4418c2a88
commit
dc96fc55a3
21
db/sql.go
21
db/sql.go
|
@ -9,7 +9,6 @@ import (
|
|||
"database/sql"
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
_ "github.com/mattn/go-sqlite3"
|
||||
)
|
||||
|
@ -126,22 +125,20 @@ func (s *Store) GetQuote(person, channel string) (quote string) {
|
|||
}
|
||||
|
||||
func (s *Store) GetQuoteAbout(person, argument, channel string) (quote string) {
|
||||
// A double quote can't be present in argument because of the
|
||||
// regex used but removing anyway
|
||||
argument = strings.Replace(argument, "\"", "", -1)
|
||||
argument = fmt.Sprintf("%%%s%%", argument)
|
||||
|
||||
query := "SELECT quote FROM quotes WHERE person_id = ? " +
|
||||
"AND quote LIKE \"%%%s%%\" " +
|
||||
"AND id NOT IN ( " +
|
||||
"SELECT quote_id FROM quotes_acl " +
|
||||
"EXCEPT " +
|
||||
"SELECT quote_id FROM quotes_acl WHERE channel_id = ?) " +
|
||||
"ORDER BY RANDOM() LIMIT 1;"
|
||||
query = fmt.Sprintf(query, argument)
|
||||
query := `SELECT quote FROM quotes WHERE person_id = ?
|
||||
AND quote LIKE ?
|
||||
AND id NOT IN (
|
||||
SELECT quote_id FROM quotes_acl
|
||||
EXCEPT
|
||||
SELECT quote_id FROM quotes_acl WHERE channel_id = ?)
|
||||
ORDER BY RANDOM() LIMIT 1`
|
||||
|
||||
s.db.QueryRow(
|
||||
query,
|
||||
s.getPerson(person),
|
||||
argument,
|
||||
s.getChannel(channel)).Scan("e)
|
||||
|
||||
return
|
||||
|
|
Loading…
Reference in New Issue