fix-nodata-sql-injection (#954)

710leo · web-flow · commit 8549b64b24ae · 2022-03-07T09:31:36.000+08:00
diff --git a/modules/nodata/config/service/host.go b/modules/nodata/config/service/host.go
@@ -15,7 +15,6 @@
 package service
 
 import (
-	"fmt"
 	"log"
 	"time"
 )
@@ -25,17 +24,17 @@ func GetHostsFromGroup(grpName string) map[string]int {
 	hosts := make(map[string]int)
 
 	now := time.Now().Unix()
-	q := fmt.Sprintf("SELECT host.id, host.hostname FROM grp_host AS gh "+
-		" INNER JOIN host ON host.id=gh.host_id AND (host.maintain_begin > %d OR host.maintain_end < %d)"+
-		" INNER JOIN grp ON grp.id=gh.grp_id AND grp.grp_name='%s'", now, now, grpName)
+	sqlStatement := "SELECT host.id, host.hostname FROM grp_host AS gh " +
+		" INNER JOIN host ON host.id=gh.host_id AND (host.maintain_begin > ? OR host.maintain_end < ?)" +
+		" INNER JOIN grp ON grp.id=gh.grp_id AND grp.grp_name=?"
 
 	dbConn, err := GetDbConn("nodata.host")
 	if err != nil {
 		log.Println("db.get_conn error, host", err)
 		return hosts
 	}
 
-	rows, err := dbConn.Query(q)
+	rows, err := dbConn.Query(sqlStatement, now, now, grpName)
 	if err != nil {
 		log.Println("[ERROR]", err)
 		return hosts
