write the get request for sql injection in comment
This commit is contained in:
parent
3e59c0601e
commit
8ddd8b2942
1 changed files with 10 additions and 9 deletions
|
|
@ -38,17 +38,18 @@ func (wp *Webpage) defineRoutes() {
|
||||||
tasks := wp.Router.Group("/tasks")
|
tasks := wp.Router.Group("/tasks")
|
||||||
{
|
{
|
||||||
tasks.GET("", func(c *gin.Context) {
|
tasks.GET("", func(c *gin.Context) {
|
||||||
//if wp.isLoggedInMiddleware(c) { // FOR SQL INJECTION (username=Florian OR 1=1 in Header)
|
if wp.isLoggedInMiddleware(c) {
|
||||||
username := c.Request.Header.Get("username")
|
username := c.Request.Header.Get("username")
|
||||||
filter := c.Query("filter")
|
filter := c.Query("filter")
|
||||||
if filter != "" {
|
if filter != "" {
|
||||||
tasks := wp.Database.FilteredTasks(username, filter)
|
// SQL Injection: http://localhost:8080/tasks?filter=' or 1=1--
|
||||||
|
tasks := wp.Database.FilteredTasks(username, filter)
|
||||||
|
c.JSON(200, gin.H{"tasks": tasks})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
tasks := wp.Database.GetAllTasks(username)
|
||||||
c.JSON(200, gin.H{"tasks": tasks})
|
c.JSON(200, gin.H{"tasks": tasks})
|
||||||
return
|
|
||||||
}
|
}
|
||||||
tasks := wp.Database.GetAllTasks(username)
|
|
||||||
c.JSON(200, gin.H{"tasks": tasks})
|
|
||||||
//}
|
|
||||||
})
|
})
|
||||||
tasks.POST("", func(c *gin.Context) {
|
tasks.POST("", func(c *gin.Context) {
|
||||||
if wp.isLoggedInMiddleware(c) {
|
if wp.isLoggedInMiddleware(c) {
|
||||||
|
|
|
||||||
Reference in a new issue