Check if ID is valid number before processing

2024-12-12 11:25:22 +01:00 · 2024-12-12 11:25:22 +01:00 · 304eb928eb
parent da654e571b
commit 304eb928eb
1 changed files with 18 additions and 2 deletions
--- a/cmd/serverFunc.go
+++ b/cmd/serverFunc.go
@ -7,6 +7,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"strconv"

 	"github.com/gin-gonic/gin"
 	_ "github.com/lib/pq"
@ -119,7 +120,14 @@ func deleteUser(c *gin.Context) {
 	id := c.Param("userid")
 	dynStmt := `DELETE FROM usuarios WHERE id_usuario = $1`

-	_, err := db.Exec(dynStmt, id)
+	_, err := strconv.Atoi(id)
+	if err != nil {
+		e := fmt.Sprintf("Invalid identifier")
+		c.IndentedJSON(http.StatusNotFound, setResponse(e, false))
+		return
+	}
+
+	_, err = db.Exec(dynStmt, id)
 	if err != nil {
 		e := fmt.Sprintf("Something went wrong trying to delete the user: %v", err)
 		log.Println(e)
@ -169,9 +177,17 @@ func setResponse(content any, success bool) response {

 func getUser(c *gin.Context) {
 	id := c.Param("userid")
+
+	_, err := strconv.Atoi(id)
+	if err != nil {
+		e := fmt.Sprintf("Invalid identifier")
+		c.IndentedJSON(http.StatusNotFound, setResponse(e, false))
+		return
+	}
+
 	user := user{}
 	dynStmt := `SELECT id_usuario,nombre,apellido1,apellido2,email,rol FROM usuarios WHERE id_usuario = $1`
-	err := db.QueryRow(dynStmt, id).Scan(&user.Id, &user.Name, &user.Surname1, &user.Surname2, &user.Email, &user.AccountType)
+	err = db.QueryRow(dynStmt, id).Scan(&user.Id, &user.Name, &user.Surname1, &user.Surname2, &user.Email, &user.AccountType)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			c.IndentedJSON(http.StatusNotFound, setResponse("User not found", false))