Fix SQL injection in /api/user/:id endpoint

2024-12-10 10:22:06 +01:00 · 2024-12-10 10:22:06 +01:00 · 2093e60d4f
parent 2d70d013ce
commit 2093e60d4f
1 changed files with 2 additions and 1 deletions
--- a/cmd/serverFunc.go
+++ b/cmd/serverFunc.go
@ -106,7 +106,8 @@ func server() {
 func getUser(c *gin.Context) {
 	id := c.Param("userid")
 	user := user{}
-	err := db.QueryRow("SELECT id_alumno,nombre,apellido1,apellido2,email FROM alumnos WHERE id_alumno = "+id).Scan(&user.Id, &user.Name, &user.Surname1, &user.Surname2, &user.Email)
+	dynStmt := `SELECT id_alumno,nombre,apellido1,apellido2,email FROM alumnos WHERE id_alumno = $1`
+	err := db.QueryRow(dynStmt, id).Scan(&user.Id, &user.Name, &user.Surname1, &user.Surname2, &user.Email)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			c.String(http.StatusNotFound, "User not found")