From 32478bd6e021956d31dafc6ee48ec0ba67284631 Mon Sep 17 00:00:00 2001
From: abhishek9686 <abhi281342@gmail.com>
Date: Tue, 24 Feb 2026 01:23:40 +0400
Subject: [PATCH] NM-258: passed as a bind parameter to statement.Exec(key)
 instead of being interpolated into the SQL string, which prevents SQL
 injection

---
 database/sqlite.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/database/sqlite.go b/database/sqlite.go
index 9abc4f4a..646921df 100644
--- a/database/sqlite.go
+++ b/database/sqlite.go
@@ -78,13 +78,13 @@ func sqliteInsertPeer(key string, value string) error {
 }
 
 func sqliteDeleteRecord(tableName string, key string) error {
-	deleteSQL := "DELETE FROM " + tableName + " WHERE key = \"" + key + "\""
+	deleteSQL := "DELETE FROM " + tableName + " WHERE key = ?"
 	statement, err := SqliteDB.Prepare(deleteSQL)
 	if err != nil {
 		return err
 	}
 	defer statement.Close()
-	if _, err = statement.Exec(); err != nil {
+	if _, err = statement.Exec(key); err != nil {
 		return err
 	}
 	return nil