raul
/
drahoot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix SQL injection in /api/user/:id endpoint

This commit is contained in:
raul 2024-12-10 10:22:06 +01:00
parent 2d70d013ce
commit 2093e60d4f
Signed by: raul
GPG Key ID: C1AA797073F17129
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/serverFunc.go
View File

@ -106,7 +106,8 @@ func server() {
func getUser(c *gin.Context) { func getUser(c *gin.Context) {
id := c.Param("userid") id := c.Param("userid")
user := user{} user := user{}
err := db.QueryRow("SELECT id_alumno,nombre,apellido1,apellido2,email FROM alumnos WHERE id_alumno = "+id).Scan(&user.Id, &user.Name, &user.Surname1, &user.Surname2, &user.Email) dynStmt := `SELECT id_alumno,nombre,apellido1,apellido2,email FROM alumnos WHERE id_alumno = $1`
err := db.QueryRow(dynStmt, id).Scan(&user.Id, &user.Name, &user.Surname1, &user.Surname2, &user.Email)
if err != nil { if err != nil {
if err == sql.ErrNoRows { if err == sql.ErrNoRows {
c.String(http.StatusNotFound, "User not found") c.String(http.StatusNotFound, "User not found")