diff options
| author | Santo Cariotti <santo@dcariotti.me> | 2021-03-18 19:24:33 +0100 |
|---|---|---|
| committer | Santo Cariotti <santo@dcariotti.me> | 2021-03-18 19:24:34 +0100 |
| commit | 893435cca8093e4713e077785139989debe0bb1b (patch) | |
| tree | 6f307d9be450800bf2aa2b4ae8fe9239e70baede | |
| parent | b79e10683ee6ef53680638382241a8b240bd50f9 (diff) | |
fix: security with single quote on queries
This error was raised because it does not use the `prepare` method
| -rw-r--r-- | src/commit/models.rs | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/commit/models.rs b/src/commit/models.rs index 2f1536b..7f6a9fc 100644 --- a/src/commit/models.rs +++ b/src/commit/models.rs @@ -108,15 +108,15 @@ impl Commit { None => "NULL".to_string(), }; raw_query += &format!( - "('{}', {}, '{}', '{}', '{}', '{}', '{}', '{}', '{}'),", + "('{}', {}, E'{}', '{}', '{}', E'{}', '{}', E'{}', '{}'),", commit.hash, tree, - commit.text, + commit.text.replace("'", "\\'"), commit.date, commit.author_email, - commit.author_name, + commit.author_name.replace("'", "\\'"), commit.committer_email, - commit.committer_name, + commit.committer_name.replace("'", "\\'"), commit.repository_url )[..] } |