sballin
commented
4 years ago Good thinking... For now the search string is escaped in Go, so I wasn't able to cause an error just by closing the '. Let me know if there's a different string that can produce an error. I got the code working with ? and Prepare but it got a bit ugly and wasn't able to handle the case of a note title that actually contains ', which seems like a downgrade. So I think a good compromise is keeping fmt.Sprintf but opening the DB with ?mode=ro&_query_only=true.
Hi, thank you for this Alfred extension, works amazingly swift!
Describe the bug Currently the string interpolation allows for SQL injection into the sqlite database. Better to use
querywith?arguments instead offmt.Sprintf.I really recommend to add Go linting, e.g. as seen here: https://github.com/hazcod/intigriti-slack-announce/blob/master/.github/workflows/lint.yml