sql injection in search

Lab01/app/database/database.go

@@ -34,6 +34,13 @@ func (db *Database) GetAllTasks(username string) []Task {
 	return tasks
 }
 
+func (db *Database) FilteredTasks(username string, filter string) []Task {
+	var tasks []Task
+	query := fmt.Sprintf("SELECT * FROM tasks WHERE username = '%s' AND description LIKE '%s'", username, filter)
+	db.ORM.Raw(query).Scan(&tasks)
+	return tasks
+}
+
 func (db *Database) CreateTask(username string, description string) Task {
 	task := Task{
 		ID:          0,
@@ -97,7 +104,3 @@ func (db *Database) UserIsLoggedIn(username string) bool {
 	}
 	return false
 }
-
-func (db *Database) Search(term string) {
-	db.ORM.Exec("SELECT * FROM tasks")
-}