From 2093e60d4fa445edf535ba5ed002e7afd90a3ca5 Mon Sep 17 00:00:00 2001 From: raul Date: Tue, 10 Dec 2024 10:22:06 +0100 Subject: [PATCH] Fix SQL injection in /api/user/:id endpoint --- cmd/serverFunc.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/serverFunc.go b/cmd/serverFunc.go index 8bd96b6..4a0c0c9 100644 --- a/cmd/serverFunc.go +++ b/cmd/serverFunc.go @@ -106,7 +106,8 @@ func server() { func getUser(c *gin.Context) { id := c.Param("userid") user := user{} - err := db.QueryRow("SELECT id_alumno,nombre,apellido1,apellido2,email FROM alumnos WHERE id_alumno = "+id).Scan(&user.Id, &user.Name, &user.Surname1, &user.Surname2, &user.Email) + dynStmt := `SELECT id_alumno,nombre,apellido1,apellido2,email FROM alumnos WHERE id_alumno = $1` + err := db.QueryRow(dynStmt, id).Scan(&user.Id, &user.Name, &user.Surname1, &user.Surname2, &user.Email) if err != nil { if err == sql.ErrNoRows { c.String(http.StatusNotFound, "User not found")