sql injection in search
This commit is contained in:
parent
7786e839b0
commit
4a07b461d3
3 changed files with 20 additions and 17 deletions
|
|
@ -34,6 +34,13 @@ func (db *Database) GetAllTasks(username string) []Task {
|
||||||
return tasks
|
return tasks
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (db *Database) FilteredTasks(username string, filter string) []Task {
|
||||||
|
var tasks []Task
|
||||||
|
query := fmt.Sprintf("SELECT * FROM tasks WHERE username = '%s' AND description LIKE '%s'", username, filter)
|
||||||
|
db.ORM.Raw(query).Scan(&tasks)
|
||||||
|
return tasks
|
||||||
|
}
|
||||||
|
|
||||||
func (db *Database) CreateTask(username string, description string) Task {
|
func (db *Database) CreateTask(username string, description string) Task {
|
||||||
task := Task{
|
task := Task{
|
||||||
ID: 0,
|
ID: 0,
|
||||||
|
|
@ -97,7 +104,3 @@ func (db *Database) UserIsLoggedIn(username string) bool {
|
||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
func (db *Database) Search(term string) {
|
|
||||||
db.ORM.Exec("SELECT * FROM tasks")
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -47,10 +47,10 @@
|
||||||
const enteredText = e.currentTarget.value;
|
const enteredText = e.currentTarget.value;
|
||||||
clearTimeout(timer);
|
clearTimeout(timer);
|
||||||
if (e.key === "Enter ") {
|
if (e.key === "Enter ") {
|
||||||
searchTask(enteredText);
|
getAllTasks(enteredText);
|
||||||
} else {
|
} else {
|
||||||
timer = setTimeout(() => {
|
timer = setTimeout(() => {
|
||||||
searchTask(enteredText);
|
getAllTasks(enteredText);
|
||||||
}, 1000);
|
}, 1000);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
@ -84,12 +84,6 @@
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
function searchTask(value) {
|
|
||||||
if (value !== "") {
|
|
||||||
console.log(value);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
function addTaskToTasks(task, number) {
|
function addTaskToTasks(task, number) {
|
||||||
tasks.push(task);
|
tasks.push(task);
|
||||||
const newTask = document.createElement('div');
|
const newTask = document.createElement('div');
|
||||||
|
|
@ -119,10 +113,10 @@
|
||||||
tasksEl.appendChild(taskHeader);
|
tasksEl.appendChild(taskHeader);
|
||||||
}
|
}
|
||||||
|
|
||||||
function getAllTasks() {
|
function getAllTasks(filter) {
|
||||||
tasksEl.innerHTML = "";
|
tasksEl.innerHTML = "";
|
||||||
addTaskHeader();
|
addTaskHeader();
|
||||||
axios.get("/tasks", axiosConfig).then((response) => {
|
axios.get("/tasks", {params: {filter: filter}, headers: {username: username}}).then((response) => {
|
||||||
tasks = response.data.tasks;
|
tasks = response.data.tasks;
|
||||||
tasks.forEach((task, index) => {
|
tasks.forEach((task, index) => {
|
||||||
addTaskToTasks(task, index + 1);
|
addTaskToTasks(task, index + 1);
|
||||||
|
|
|
||||||
|
|
@ -38,11 +38,17 @@ func (wp *Webpage) defineRoutes() {
|
||||||
tasks := wp.Router.Group("/tasks")
|
tasks := wp.Router.Group("/tasks")
|
||||||
{
|
{
|
||||||
tasks.GET("", func(c *gin.Context) {
|
tasks.GET("", func(c *gin.Context) {
|
||||||
if wp.isLoggedInMiddleware(c) {
|
//if wp.isLoggedInMiddleware(c) { // FOR SQL INJECTION (username=Florian OR 1=1 in Header)
|
||||||
username := c.Request.Header.Get("username")
|
username := c.Request.Header.Get("username")
|
||||||
tasks := wp.Database.GetAllTasks(username)
|
filter := c.Query("filter")
|
||||||
|
if filter != "" {
|
||||||
|
tasks := wp.Database.FilteredTasks(username, filter)
|
||||||
c.JSON(200, gin.H{"tasks": tasks})
|
c.JSON(200, gin.H{"tasks": tasks})
|
||||||
|
return
|
||||||
}
|
}
|
||||||
|
tasks := wp.Database.GetAllTasks(username)
|
||||||
|
c.JSON(200, gin.H{"tasks": tasks})
|
||||||
|
//}
|
||||||
})
|
})
|
||||||
tasks.POST("", func(c *gin.Context) {
|
tasks.POST("", func(c *gin.Context) {
|
||||||
if wp.isLoggedInMiddleware(c) {
|
if wp.isLoggedInMiddleware(c) {
|
||||||
|
|
|
||||||
Reference in a new issue