Fix security vulnerability

GeekMasher · GeekMasher · commit b95cceaac6fa · 2021-10-07T12:47:01.000+01:00
diff --git a/server/routes.py b/server/routes.py
@@ -13,13 +13,13 @@ def index():
 
     if name:
         cursor.execute(
-            "SELECT * FROM books WHERE name LIKE '%" + name + "%'"
+            "SELECT * FROM books WHERE name LIKE :name", {'name': f"%{name}%"}
         )
         books = [Book(*row) for row in cursor]
 
     elif author:
         cursor.execute(
-            "SELECT * FROM books WHERE author LIKE '%" + author + "%'"
+            "SELECT * FROM books WHERE author LIKE :author", {'author': f"%{author}%"}
         )
         books = [Book(*row) for row in cursor]
 

Original file line number	Diff line number	Diff line change
`@@ -13,13 +13,13 @@ def index():`
`13`	`13`
`14`	`14`	`if name:`
`15`	`15`	`cursor.execute(`
`16`		`- "SELECT * FROM books WHERE name LIKE '%" + name + "%'"`
	`16`	`+ "SELECT * FROM books WHERE name LIKE :name", {'name': f"%{name}%"}`
`17`	`17`	`)`
`18`	`18`	`books = [Book(*row) for row in cursor]`
`19`	`19`
`20`	`20`	`elif author:`
`21`	`21`	`cursor.execute(`
`22`		`- "SELECT * FROM books WHERE author LIKE '%" + author + "%'"`
	`22`	`+ "SELECT * FROM books WHERE author LIKE :author", {'author': f"%{author}%"}`
`23`	`23`	`)`
`24`	`24`	`books = [Book(*row) for row in cursor]`
`25`	`25`