sql injection in search
This commit is contained in:
parent
7786e839b0
commit
4a07b461d3
3 changed files with 20 additions and 17 deletions
|
|
@ -34,6 +34,13 @@ func (db *Database) GetAllTasks(username string) []Task {
|
|||
return tasks
|
||||
}
|
||||
|
||||
func (db *Database) FilteredTasks(username string, filter string) []Task {
|
||||
var tasks []Task
|
||||
query := fmt.Sprintf("SELECT * FROM tasks WHERE username = '%s' AND description LIKE '%s'", username, filter)
|
||||
db.ORM.Raw(query).Scan(&tasks)
|
||||
return tasks
|
||||
}
|
||||
|
||||
func (db *Database) CreateTask(username string, description string) Task {
|
||||
task := Task{
|
||||
ID: 0,
|
||||
|
|
@ -97,7 +104,3 @@ func (db *Database) UserIsLoggedIn(username string) bool {
|
|||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (db *Database) Search(term string) {
|
||||
db.ORM.Exec("SELECT * FROM tasks")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,10 +47,10 @@
|
|||
const enteredText = e.currentTarget.value;
|
||||
clearTimeout(timer);
|
||||
if (e.key === "Enter ") {
|
||||
searchTask(enteredText);
|
||||
getAllTasks(enteredText);
|
||||
} else {
|
||||
timer = setTimeout(() => {
|
||||
searchTask(enteredText);
|
||||
getAllTasks(enteredText);
|
||||
}, 1000);
|
||||
}
|
||||
});
|
||||
|
|
@ -84,12 +84,6 @@
|
|||
});
|
||||
}
|
||||
|
||||
function searchTask(value) {
|
||||
if (value !== "") {
|
||||
console.log(value);
|
||||
}
|
||||
}
|
||||
|
||||
function addTaskToTasks(task, number) {
|
||||
tasks.push(task);
|
||||
const newTask = document.createElement('div');
|
||||
|
|
@ -119,10 +113,10 @@
|
|||
tasksEl.appendChild(taskHeader);
|
||||
}
|
||||
|
||||
function getAllTasks() {
|
||||
function getAllTasks(filter) {
|
||||
tasksEl.innerHTML = "";
|
||||
addTaskHeader();
|
||||
axios.get("/tasks", axiosConfig).then((response) => {
|
||||
axios.get("/tasks", {params: {filter: filter}, headers: {username: username}}).then((response) => {
|
||||
tasks = response.data.tasks;
|
||||
tasks.forEach((task, index) => {
|
||||
addTaskToTasks(task, index + 1);
|
||||
|
|
|
|||
|
|
@ -38,11 +38,17 @@ func (wp *Webpage) defineRoutes() {
|
|||
tasks := wp.Router.Group("/tasks")
|
||||
{
|
||||
tasks.GET("", func(c *gin.Context) {
|
||||
if wp.isLoggedInMiddleware(c) {
|
||||
//if wp.isLoggedInMiddleware(c) { // FOR SQL INJECTION (username=Florian OR 1=1 in Header)
|
||||
username := c.Request.Header.Get("username")
|
||||
filter := c.Query("filter")
|
||||
if filter != "" {
|
||||
tasks := wp.Database.FilteredTasks(username, filter)
|
||||
c.JSON(200, gin.H{"tasks": tasks})
|
||||
return
|
||||
}
|
||||
tasks := wp.Database.GetAllTasks(username)
|
||||
c.JSON(200, gin.H{"tasks": tasks})
|
||||
}
|
||||
//}
|
||||
})
|
||||
tasks.POST("", func(c *gin.Context) {
|
||||
if wp.isLoggedInMiddleware(c) {
|
||||
|
|
|
|||
Reference in a new issue