sql injection in search

2022-04-07 21:06:30 +02:00 · 2022-04-07 21:06:30 +02:00 · 4a07b461d3
commit 4a07b461d3
parent 7786e839b0
3 changed files with 20 additions and 17 deletions
--- a/Lab01/app/webpage/webpage.go
+++ b/Lab01/app/webpage/webpage.go
@ -38,11 +38,17 @@ func (wp *Webpage) defineRoutes() {
 	tasks := wp.Router.Group("/tasks")
 	{
 		tasks.GET("", func(c *gin.Context) {
-			if wp.isLoggedInMiddleware(c) {
-				username := c.Request.Header.Get("username")
-				tasks := wp.Database.GetAllTasks(username)
+			//if wp.isLoggedInMiddleware(c) { // FOR SQL INJECTION (username=Florian OR 1=1 in Header)
+			username := c.Request.Header.Get("username")
+			filter := c.Query("filter")
+			if filter != "" {
+				tasks := wp.Database.FilteredTasks(username, filter)
 				c.JSON(200, gin.H{"tasks": tasks})
+				return
 			}
+			tasks := wp.Database.GetAllTasks(username)
+			c.JSON(200, gin.H{"tasks": tasks})
+			//}
 		})
 		tasks.POST("", func(c *gin.Context) {
 			if wp.isLoggedInMiddleware(c) {