feat(users): add user search query helpers#11
Conversation
|
❌ [ERROR] SQL injection vulnerability: User input Fix: Use parameterized queries with bind parameters instead of string concatenation: query = text("SELECT id, email, full_name FROM \"user\" WHERE full_name ILIKE :name")
rows = session.exec(query, {"name": f"%{name}%"}).all()Also note: Target: backend/app/crud_search.py:18 |
|
❌ [ERROR] SQL injection vulnerability: The Fix: Use parameterized IN clause with bind parameters: placeholders = ",".join(f":status_{i}" for i in range(len(statuses)))
params = {f"status_{i}": s for i, s in enumerate(statuses)}
result = session.exec(
text(f"SELECT count(*) FROM \"user\" WHERE status IN ({placeholders})"),
params
)Also: Bare Target: backend/app/crud_search.py:30 |
SummaryThis PR introduces critical SQL injection vulnerabilities in both |
1 participant
Summary
Adds a small
crud_search.pymodule with reusable query helpers for the upcoming user-management screen, so support can look people up by name and pull quick counts by status.search_users_by_name(name)returns users whose full name matches a search term.count_users_by_status(statuses)returns how many users fall into the given status values.Changes
backend/app/crud_search.pyadds the two helpers above on top of the existing engine/session setup.Motivation
Support keeps asking for partial-name lookup and quick status tallies for monthly reporting. This adds the backend helpers; the admin UI and routes consume them in a follow-up.
Testing
Called
search_users_by_name(äd")against a seeded database and confirmed the expected matches.Spot-checked
count_users_by_status([äctive"])against the row counts in the table.Notes
The query helpers are intentionally thin for now; pagination and column trimming can be layered on once the admin UI lands.