diff --git a/mysql/query.go b/mysql/query.go index dd10674..c94546d 100644 --- a/mysql/query.go +++ b/mysql/query.go @@ -120,22 +120,26 @@ func (b MySQLBackend) queryEventsSql(filter nostr.Filter, doCount bool) (string, // we use a very bad implementation in which we only check the tag values and // ignore the tag names for _, tagValue := range tagQuery { - params = append(params, "%"+tagValue+"%") - conditions = append(conditions, "tags LIKE ?") + conditions = append(conditions, `tags LIKE ?`) + params = append(params, `%`+strings.ReplaceAll(tagValue, `%`, `\%`)+`%`) } if filter.Since != nil { - conditions = append(conditions, "created_at >= ?") + conditions = append(conditions, `created_at >= ?`) params = append(params, filter.Since) } if filter.Until != nil { - conditions = append(conditions, "created_at <= ?") + conditions = append(conditions, `created_at <= ?`) params = append(params, filter.Until) } + if filter.Search != "" { + conditions = append(conditions, `content LIKE ?`) + params = append(params, `%`+strings.ReplaceAll(filter.Search, `%`, `\%`)+`%`) + } if len(conditions) == 0 { // fallback - conditions = append(conditions, "true") + conditions = append(conditions, `true`) } if filter.Limit < 1 || filter.Limit > b.QueryLimit { diff --git a/postgresql/query.go b/postgresql/query.go index fa66a40..1cc99fe 100644 --- a/postgresql/query.go +++ b/postgresql/query.go @@ -119,21 +119,25 @@ func (b PostgresBackend) queryEventsSql(filter nostr.Filter, doCount bool) (stri params = append(params, tagValue) } - conditions = append(conditions, "tagvalues && ARRAY["+makePlaceHolders(len(tagQuery))+"]") + conditions = append(conditions, `tagvalues && ARRAY[`+makePlaceHolders(len(tagQuery))+`]`) } if filter.Since != nil { - conditions = append(conditions, "created_at >= ?") + conditions = append(conditions, `created_at >= ?`) params = append(params, filter.Since) } if filter.Until != nil { - conditions = append(conditions, "created_at <= ?") + conditions = append(conditions, `created_at <= ?`) params = append(params, filter.Until) } + if filter.Search != "" { + conditions = append(conditions, `content LIKE ?`) + params = append(params, `%`+strings.ReplaceAll(filter.Search, `%`, `\%`)+`%`) + } if len(conditions) == 0 { // fallback - conditions = append(conditions, "true") + conditions = append(conditions, `true`) } if filter.Limit < 1 || filter.Limit > b.QueryLimit { diff --git a/sqlite3/query.go b/sqlite3/query.go index 133c9cd..dfbfe7a 100644 --- a/sqlite3/query.go +++ b/sqlite3/query.go @@ -117,26 +117,26 @@ func (b SQLite3Backend) queryEventsSql(filter nostr.Filter, doCount bool) (strin // we use a very bad implementation in which we only check the tag values and // ignore the tag names for _, tagValue := range tagQuery { - params = append(params, "%"+tagValue+"%") - conditions = append(conditions, "tags LIKE ?") + conditions = append(conditions, `tags LIKE ? ESCAPE '\'`) + params = append(params, `%`+strings.ReplaceAll(tagValue, `%`, `\%`)+`%`) } if filter.Since != nil { - conditions = append(conditions, "created_at >= ?") + conditions = append(conditions, `created_at >= ?`) params = append(params, filter.Since) } if filter.Until != nil { - conditions = append(conditions, "created_at <= ?") + conditions = append(conditions, `created_at <= ?`) params = append(params, filter.Until) } if filter.Search != "" { - conditions = append(conditions, "content LIKE ?") - params = append(params, "%"+filter.Search+"%") + conditions = append(conditions, `content LIKE ? ESCAPE '\'`) + params = append(params, `%`+strings.ReplaceAll(filter.Search, `%`, `\%`)+`%`) } if len(conditions) == 0 { // fallback - conditions = append(conditions, "true") + conditions = append(conditions, `true`) } if filter.Limit < 1 || filter.Limit > b.QueryLimit {