Skip to content

Commit 25dbc41

Browse files
prkhrkatprkhrkat
committed
sql query param refact
1 parent c00a136 commit 25dbc41

File tree

2 files changed

+10
-10
lines changed

2 files changed

+10
-10
lines changed

pkg/auth/user/repository/DefaultAuthPolicyRepository.go

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -70,15 +70,18 @@ func (impl DefaultAuthPolicyRepositoryImpl) UpdatePolicyByRoleType(policy string
7070

7171
func (impl DefaultAuthPolicyRepositoryImpl) GetPolicyByRoleTypeAndEntity(roleType bean.RoleType, accessType string, entity string) (policy string, err error) {
7272
var model DefaultAuthPolicy
73-
query := "SELECT * FROM default_auth_policy WHERE role_type = ? "
74-
query += " and entity = '" + entity + "' "
73+
var queryParams []interface{}
74+
query := "SELECT * FROM default_auth_policy WHERE role_type = ? AND entity = ? "
75+
queryParams = append(queryParams, roleType, entity)
76+
7577
if accessType == "" {
76-
query += "and access_type IS NULL ;"
78+
query += "AND access_type IS NULL ;"
7779
} else {
78-
query += "and access_type ='" + accessType + "' ;"
80+
query += "AND access_type = ? ;"
81+
queryParams = append(queryParams, accessType)
7982
}
8083

81-
_, err = impl.dbConnection.Query(&model, query, roleType)
84+
_, err = impl.dbConnection.Query(&model, query, queryParams...)
8285
if err != nil {
8386
impl.logger.Error("error in getting policy by roleType", "err", err, "roleType", roleType, "entity", entity)
8487
return "", err

pkg/genericNotes/repository/GenericNoteRepository.go

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,7 @@
1717
package repository
1818

1919
import (
20-
"fmt"
2120
repository1 "github.com/devtron-labs/devtron/internal/sql/repository/app"
22-
"github.com/devtron-labs/devtron/internal/sql/repository/helper"
2321
"github.com/devtron-labs/devtron/pkg/sql"
2422
"github.com/go-pg/pg"
2523
)
@@ -108,9 +106,8 @@ func (impl GenericNoteRepositoryImpl) GetDescriptionFromAppIds(appIds []int) ([]
108106
if len(appIds) == 0 {
109107
return nil, nil
110108
}
111-
query := fmt.Sprintf("SELECT * "+
112-
"FROM app WHERE id IN (%s)", helper.GetCommaSepratedString(appIds))
113-
_, err := impl.dbConnection.Query(&apps, query)
109+
// Use parameterized query to prevent SQL injection
110+
err := impl.dbConnection.Model(&apps).Where("id IN (?)", pg.In(appIds)).Select()
114111
if err != nil {
115112
return nil, err
116113
}

0 commit comments

Comments
 (0)