Merge pull request #10 from mattn/escape-percent

escape %
2024-01-30 14:46:36 +09:00
parent 6a94456336 5d6b9ef086
commit bd8998deb3
3 changed files with 24 additions and 16 deletions
--- a/mysql/query.go
+++ b/mysql/query.go
@@ -120,22 +120,26 @@ func (b MySQLBackend) queryEventsSql(filter nostr.Filter, doCount bool) (string,
 	// we use a very bad implementation in which we only check the tag values and
 	// ignore the tag names
 	for _, tagValue := range tagQuery {
-		params = append(params, "%"+tagValue+"%")
+		conditions = append(conditions, `tags LIKE ?`)
-		conditions = append(conditions, "tags LIKE ?")
+		params = append(params, `%`+strings.ReplaceAll(tagValue, `%`, `\%`)+`%`)
 	}
 	if filter.Since != nil {
-		conditions = append(conditions, "created_at >= ?")
+		conditions = append(conditions, `created_at >= ?`)
 		params = append(params, filter.Since)
 	}
 	if filter.Until != nil {
-		conditions = append(conditions, "created_at <= ?")
+		conditions = append(conditions, `created_at <= ?`)
 		params = append(params, filter.Until)
 	}
 	if filter.Search != "" {
 		conditions = append(conditions, `content LIKE ?`)
 		params = append(params, `%`+strings.ReplaceAll(filter.Search, `%`, `\%`)+`%`)
 	}
 	if len(conditions) == 0 {
 		// fallback
-		conditions = append(conditions, "true")
+		conditions = append(conditions, `true`)
 	}
 	if filter.Limit < 1 || filter.Limit > b.QueryLimit {
--- a/postgresql/query.go
+++ b/postgresql/query.go
@@ -119,21 +119,25 @@ func (b PostgresBackend) queryEventsSql(filter nostr.Filter, doCount bool) (stri
 			params = append(params, tagValue)
 		}
-		conditions = append(conditions, "tagvalues && ARRAY["+makePlaceHolders(len(tagQuery))+"]")
+		conditions = append(conditions, `tagvalues && ARRAY[`+makePlaceHolders(len(tagQuery))+`]`)
 	}
 	if filter.Since != nil {
-		conditions = append(conditions, "created_at >= ?")
+		conditions = append(conditions, `created_at >= ?`)
 		params = append(params, filter.Since)
 	}
 	if filter.Until != nil {
-		conditions = append(conditions, "created_at <= ?")
+		conditions = append(conditions, `created_at <= ?`)
 		params = append(params, filter.Until)
 	}
 	if filter.Search != "" {
 		conditions = append(conditions, `content LIKE ?`)
 		params = append(params, `%`+strings.ReplaceAll(filter.Search, `%`, `\%`)+`%`)
 	}
 	if len(conditions) == 0 {
 		// fallback
-		conditions = append(conditions, "true")
+		conditions = append(conditions, `true`)
 	}
 	if filter.Limit < 1 || filter.Limit > b.QueryLimit {
--- a/sqlite3/query.go
+++ b/sqlite3/query.go
@@ -117,26 +117,26 @@ func (b SQLite3Backend) queryEventsSql(filter nostr.Filter, doCount bool) (strin
 	// we use a very bad implementation in which we only check the tag values and
 	// ignore the tag names
 	for _, tagValue := range tagQuery {
-		params = append(params, "%"+tagValue+"%")
+		conditions = append(conditions, `tags LIKE ? ESCAPE '\'`)
-		conditions = append(conditions, "tags LIKE ?")
+		params = append(params, `%`+strings.ReplaceAll(tagValue, `%`, `\%`)+`%`)
 	}
 	if filter.Since != nil {
-		conditions = append(conditions, "created_at >= ?")
+		conditions = append(conditions, `created_at >= ?`)
 		params = append(params, filter.Since)
 	}
 	if filter.Until != nil {
-		conditions = append(conditions, "created_at <= ?")
+		conditions = append(conditions, `created_at <= ?`)
 		params = append(params, filter.Until)
 	}
 	if filter.Search != "" {
-		conditions = append(conditions, "content LIKE ?")
+		conditions = append(conditions, `content LIKE ? ESCAPE '\'`)
-		params = append(params, "%"+filter.Search+"%")
+		params = append(params, `%`+strings.ReplaceAll(filter.Search, `%`, `\%`)+`%`)
 	}
 	if len(conditions) == 0 {
 		// fallback
-		conditions = append(conditions, "true")
+		conditions = append(conditions, `true`)
 	}
 	if filter.Limit < 1 || filter.Limit > b.QueryLimit {