From fc51a69ff191c7d239d9937e8965d6de675dc3d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=BA=90=E6=96=87=E9=9B=A8?=
 <41315874+fumiama@users.noreply.github.com>
Date: Wed, 9 Nov 2022 21:10:20 +0800
Subject: [PATCH] fix: possible sql inject

---
 db/sqlite3/sqlite3.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/db/sqlite3/sqlite3.go b/db/sqlite3/sqlite3.go
index 7d3169b..a6b6a3b 100644
--- a/db/sqlite3/sqlite3.go
+++ b/db/sqlite3/sqlite3.go
@@ -4,6 +4,7 @@
 package sqlite3
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"hash/crc64"
 	"os"
@@ -179,10 +180,14 @@ func (s *database) GetPrivateMessageByGlobalID(id int32) (*db.StoredPrivateMessa
 }
 
 func (s *database) GetGuildChannelMessageByID(id string) (*db.StoredGuildChannelMessage, error) {
+	_, err := base64.StdEncoding.DecodeString(id)
+	if err != nil {
+		return nil, errors.Wrap(err, "query invalid id error")
+	}
 	var ret db.StoredGuildChannelMessage
 	var guildmsg StoredGuildChannelMessage
 	s.RLock()
-	err := s.db.Find(Sqlite3GuildChannelMessageTableName, &guildmsg, "WHERE ID='"+id+"'")
+	err = s.db.Find(Sqlite3GuildChannelMessageTableName, &guildmsg, "WHERE ID='"+id+"'")
 	s.RUnlock()
 	if err != nil {
 		return nil, errors.Wrap(err, "query error")