From ff6cfb4edd9f1d33cca8a2de94eb77ed4a00871d Mon Sep 17 00:00:00 2001
From: yaqubroli <walchuk2018@icloud.com>
Date: Fri, 23 Dec 2022 21:35:40 -0800
Subject: [PATCH] Prevent SQL injection

---
 src/database.rs |  9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/database.rs b/src/database.rs
index 50fe4ef..d9aa834 100644
--- a/src/database.rs
+++ a/src/database.rs
@@ -79,6 +79,11 @@
     pub content_type: ContentType
 }
 
+// This function sanitizes the input to prevent SQL injection
+fn sanitize_input (input: String) -> String {
+    input.replace("'", "''")
+}
+
 // Description: This function takes in a settings struct and returns a mysql connection pool
 pub async fn init (settings: &BasicSettings<settings::AppSettings>) -> Pool {
     let database_settings = &settings.application.database;
@@ -193,9 +198,9 @@
         connection.exec_drop("INSERT INTO entries (content, shortened, content_type) VALUES (:content, :shortened, :content_type)", params! {
             "content" => 
                 if content_type == &ContentType::Url {
-                    url::format_url(content.to_string())
+                    sanitize_input(url::format_url(content.to_string()))
                 } else {
-                    content.to_string()
+                    sanitize_input(content.to_string())
                 },
             "shortened" => shortened.clone(),
             "content_type" => u8::from(content_type.clone())
--
rgit 0.1.5