Closed hazcod closed 4 years ago
Good thinking... For now the search string is escaped in Go, so I wasn't able to cause an error just by closing the '
. Let me know if there's a different string that can produce an error. I got the code working with ?
and Prepare
but it got a bit ugly and wasn't able to handle the case of a note title that actually contains '
, which seems like a downgrade. So I think a good compromise is keeping fmt.Sprintf
but opening the DB with ?mode=ro&_query_only=true
.
Never mind, got it working! Will update soon.
Fixed in version 3.0.1. Thanks for the tip!
Hi, thank you for this Alfred extension, works amazingly swift!
Describe the bug Currently the string interpolation allows for SQL injection into the sqlite database. Better to use
query
with?
arguments instead offmt.Sprintf
.I really recommend to add Go linting, e.g. as seen here: https://github.com/hazcod/intigriti-slack-announce/blob/master/.github/workflows/lint.yml