NM-258: passed as a bind parameter to statement.Exec(key) instead of being interpolated into the SQL string, which prevents SQL injection

2026-04-22 16:07:11 +08:00 · 2026-02-24 01:23:40 +04:00
parent 99c2d2d8d2
commit 32478bd6e0
1 changed files with 2 additions and 2 deletions
@@ -78,13 +78,13 @@ func sqliteInsertPeer(key string, value string) error {
 }

 func sqliteDeleteRecord(tableName string, key string) error {
-	deleteSQL := "DELETE FROM " + tableName + " WHERE key = \"" + key + "\""
+	deleteSQL := "DELETE FROM " + tableName + " WHERE key = ?"
 	statement, err := SqliteDB.Prepare(deleteSQL)
 	if err != nil {
 		return err
 	}
 	defer statement.Close()
-	if _, err = statement.Exec(); err != nil {
+	if _, err = statement.Exec(key); err != nil {
 		return err
 	}
 	return nil