-
Notifications
You must be signed in to change notification settings - Fork 54
/
Copy pathmodels.go
109 lines (89 loc) · 2.39 KB
/
models.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
package models
import (
"database/sql"
"fmt"
)
var DB *sql.DB
type Book struct {
Title string
Author string
Read string
}
// Get all books in the books table.
func AllBooks() ([]Book, error) {
query := "SELECT * FROM books"
rows, err := DB.Query(query)
if err != nil {
return nil, err
}
defer rows.Close()
bks, err := makeBookSlice(rows)
if err != nil {
return nil, err
}
return bks, nil
}
// Query for books by name. This function contains a SQL Injection issue.
// The user input is not parameterized. Instead of using fmt.Sprintf() to build
// the query, you should be using a parameterized query.
func NameQuery(r string) ([]Book, error) {
// Fix: rows, err := DB.Query("SELECT * FROM books WHERE name = ?", r)
rows, err := DB.Query(fmt.Sprintf("SELECT * FROM books WHERE name = '%s'", r))
if err != nil {
return nil, err
}
defer rows.Close()
bks, err := makeBookSlice(rows)
if err != nil {
return nil, err
}
return bks, nil
}
// Query for books by Author. This function contains a SQL Injection issue.
// The user input is not parameterized. Instead of using fmt.Sprintf() to build
// the query, you should be using a parameterized query.
func AuthorQuery(r string) ([]Book, error) {
// Fix: rows, err := DB.Query("SELECT * FROM books WHERE author = ?", r)
rows, err := DB.Query(fmt.Sprintf("SELECT * FROM books WHERE author = '%s'", r))
if err != nil {
return nil, err
}
defer rows.Close()
bks, err := makeBookSlice(rows)
if err != nil {
return nil, err
}
return bks, nil
}
// Query for books by read. This function contains a SQL Injection issue.
// The user input is not parameterized. Instead of using fmt.Sprintf() to build
// the query, you should be using a parameterized query.
func ReadQuery(r string) ([]Book, error) {
// Fix: rows, err := DB.Query("SELECT * FROM books WHERE read = ?", r)
rows, err := DB.Query(fmt.Sprintf("SELECT * FROM books WHERE read = '%s'", r))
if err != nil {
return nil, err
}
defer rows.Close()
bks, err := makeBookSlice(rows)
if err != nil {
return nil, err
}
return bks, nil
}
// A helper function to cast the query results to a slice
func makeBookSlice(r *sql.Rows) ([]Book, error) {
var bks []Book
for r.Next() {
var bk Book
err := r.Scan(&bk.Title, &bk.Author, &bk.Read)
if err != nil {
return nil, err
}
bks = append(bks, bk)
}
if err := r.Err(); err != nil {
return nil, err
}
return bks, nil
}