Search - Sql injection & general improvement

the-me-0 / groove

Groove is a fork of Antionio Erdeljac's next13 Spotify-clone, resulting in a self-hosted & private Spotify clone instance

Other

5 stars 2 forks source link

Search - Sql injection & general improvement #2

Open the-me-0 opened 10 months ago

the-me-0 commented 10 months ago

The search songs/artists option is currently not safe : SQL injection is possible. Search may be improved (accent incensitive, partial words, missing letters...).

SQL Injection fixes :

remove all special caracters from query before fetching : could that pose problem if a song is named with special caracters ?

Search improvements :

no idea yet

the-me-0 commented 8 months ago

I forgot to keep this updated but I applied a fix for the query input, all special characters are removed before reaching the database. Search improvement yet to come.