From 8ddd8b2942d50604d7c2d2fe94272be6f43044e7 Mon Sep 17 00:00:00 2001
From: Florian Hoss <mail@florianhoss.de>
Date: Fri, 8 Apr 2022 14:28:21 +0200
Subject: [PATCH] write the get request for sql injection in comment

---
 Lab01/app/webpage/webpage.go | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/Lab01/app/webpage/webpage.go b/Lab01/app/webpage/webpage.go
index aea5404..c972006 100644
--- a/Lab01/app/webpage/webpage.go
+++ b/Lab01/app/webpage/webpage.go
@@ -38,17 +38,18 @@ func (wp *Webpage) defineRoutes() {
 	tasks := wp.Router.Group("/tasks")
 	{
 		tasks.GET("", func(c *gin.Context) {
-			//if wp.isLoggedInMiddleware(c) { // FOR SQL INJECTION (username=Florian OR 1=1 in Header)
-			username := c.Request.Header.Get("username")
-			filter := c.Query("filter")
-			if filter != "" {
-				tasks := wp.Database.FilteredTasks(username, filter)
+			if wp.isLoggedInMiddleware(c) {
+				username := c.Request.Header.Get("username")
+				filter := c.Query("filter")
+				if filter != "" {
+					// SQL Injection: http://localhost:8080/tasks?filter=' or 1=1--
+					tasks := wp.Database.FilteredTasks(username, filter)
+					c.JSON(200, gin.H{"tasks": tasks})
+					return
+				}
+				tasks := wp.Database.GetAllTasks(username)
 				c.JSON(200, gin.H{"tasks": tasks})
-				return
 			}
-			tasks := wp.Database.GetAllTasks(username)
-			c.JSON(200, gin.H{"tasks": tasks})
-			//}
 		})
 		tasks.POST("", func(c *gin.Context) {
 			if wp.isLoggedInMiddleware(c) {