From 6a90c20231f8aaf378ae5ff1b19849106af021b1 Mon Sep 17 00:00:00 2001
From: Alejandro Gabriel Guerrero
 <alejandrogabrielguerrero@Alejandros-MacBook-Pro.local>
Date: Fri, 26 Jan 2024 12:10:43 -0600
Subject: [PATCH 1/2] fix sql injection on ApplyFilters

---
 src/infrastructure/repository/Utils.go | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/infrastructure/repository/Utils.go b/src/infrastructure/repository/Utils.go
index 3ce88b3..33a6836 100644
--- a/src/infrastructure/repository/Utils.go
+++ b/src/infrastructure/repository/Utils.go
@@ -73,31 +73,30 @@ func ApplyFilters(columnMapping map[string]string, filters map[string][]string,
 		if len(filters) > 0 {
 			filters = UpdateFilterKeys(filters, columnMapping)
 			for key, values := range filters {
-				query = query.Where(fmt.Sprintf("%s IN (?)", key), values)
+				query = query.Where(fmt.Sprintf("%s IN ?", key), values)
 			}
 		}
 
 		if len(dateRangeFilters) > 0 {
-			for i := range dateRangeFilters {
-				if newFieldName, ok := columnMapping[dateRangeFilters[i].Field]; ok {
-					dateRangeFilters[i].Field = newFieldName
-				}
-			}
-
 			for _, filter := range dateRangeFilters {
+				if newFieldName, ok := columnMapping[filter.Field]; ok {
+					filter.Field = newFieldName
+				}
 				query = query.Where(fmt.Sprintf("%s BETWEEN ? AND ?", filter.Field), filter.Start, filter.End)
 			}
 		}
 
-		if searchText != "" {
+		if searchText != "" && len(searchColumns) > 0 {
 			var orConditions []string
+			var args []interface{}
 
 			for _, column := range searchColumns {
-				orConditions = append(orConditions, fmt.Sprintf("%s LIKE '%%%s%%'", column, searchText))
+				orConditions = append(orConditions, fmt.Sprintf("%s LIKE ?", column))
+				args = append(args, "%"+searchText+"%")
 			}
 
 			searchQuery := fmt.Sprintf("(%s)", strings.Join(orConditions, " OR "))
-			query = query.Where(searchQuery)
+			query = query.Where(searchQuery, args...)
 		}
 
 		return query

From 71d05e2860dc3c152994367d51fb0b3bfe94dc1e Mon Sep 17 00:00:00 2001
From: Alejandro Gabriel Guerrero
 <alejandrogabrielguerrero@Alejandros-MacBook-Pro.local>
Date: Fri, 26 Jan 2024 12:13:19 -0600
Subject: [PATCH 2/2] fix sql injection on ApplyFilters in quick fix

---
 src/infrastructure/repository/Utils.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/infrastructure/repository/Utils.go b/src/infrastructure/repository/Utils.go
index 33a6836..3aef601 100644
--- a/src/infrastructure/repository/Utils.go
+++ b/src/infrastructure/repository/Utils.go
@@ -73,7 +73,7 @@ func ApplyFilters(columnMapping map[string]string, filters map[string][]string,
 		if len(filters) > 0 {
 			filters = UpdateFilterKeys(filters, columnMapping)
 			for key, values := range filters {
-				query = query.Where(fmt.Sprintf("%s IN ?", key), values)
+				query = query.Where(fmt.Sprintf("%s IN (?)", key), values)
 			}
 		}