bugfix: insert task_meta sql inject

2020-12-31 13:01:43 +08:00 · 2020-12-31 13:01:43 +08:00 · 6dbbbac344
parent e903f609a5
commit 6dbbbac344
1 changed files with 2 additions and 2 deletions
--- a/src/models/task_meta.go
+++ b/src/models/task_meta.go
@ -151,8 +151,8 @@ func (m *TaskMeta) Save(hosts []string, action string) error {
 	}

 	for _, host := range hosts {
-		sql := fmt.Sprintf("INSERT INTO %s(id, host, status) VALUES(%d, '%s', 'waiting')", tht(id), id, host)
-		if _, err := session.Exec(sql); err != nil {
+		sql := fmt.Sprintf("INSERT INTO %s(id, host, status) VALUES(%d, ?, 'waiting')", tht(id), id)
+		if _, err := session.Exec(sql, host); err != nil {
 			session.Rollback()
 			return err
 		}