fix: possible sql inject

2025-05-04 19:17:37 +08:00 · 2022-11-09 21:10:20 +08:00 · 2022-11-09 21:10:20 +08:00 · fc51a69ff1
commit fc51a69ff1
parent cee4bccf45
1 changed files with 6 additions and 1 deletions
--- a/db/sqlite3/sqlite3.go
+++ b/db/sqlite3/sqlite3.go
@ -4,6 +4,7 @@
 package sqlite3

 import (
+	"encoding/base64"
 	"encoding/json"
 	"hash/crc64"
 	"os"
@ -179,10 +180,14 @@ func (s *database) GetPrivateMessageByGlobalID(id int32) (*db.StoredPrivateMessa
 }

 func (s *database) GetGuildChannelMessageByID(id string) (*db.StoredGuildChannelMessage, error) {
+	_, err := base64.StdEncoding.DecodeString(id)
+	if err != nil {
+		return nil, errors.Wrap(err, "query invalid id error")
+	}
 	var ret db.StoredGuildChannelMessage
 	var guildmsg StoredGuildChannelMessage
 	s.RLock()
-	err := s.db.Find(Sqlite3GuildChannelMessageTableName, &guildmsg, "WHERE ID='"+id+"'")
+	err = s.db.Find(Sqlite3GuildChannelMessageTableName, &guildmsg, "WHERE ID='"+id+"'")
 	s.RUnlock()
 	if err != nil {
 		return nil, errors.Wrap(err, "query error")