From c941b15370366dda5ae5911d331d89b45f9d797d Mon Sep 17 00:00:00 2001
From: Xavier Robin <xavier.robin@unibas.ch>
Date: Tue, 15 Aug 2023 14:58:38 +0200
Subject: [PATCH] fix SQL injection

---
 modules/conop/src/compound_lib.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/conop/src/compound_lib.cc b/modules/conop/src/compound_lib.cc
index 691abadb8..62b3ed8cc 100644
--- a/modules/conop/src/compound_lib.cc
+++ b/modules/conop/src/compound_lib.cc
@@ -509,11 +509,14 @@ CompoundPtr CompoundLib::FindCompound(const String& id,
   }
 
   query+=" FROM chem_compounds"
-         " WHERE tlc='"+id+"' AND dialect='"+String(1, char(dialect))+"'";
+         " WHERE tlc=? AND dialect='"+String(1, char(dialect))+"'";
   sqlite3_stmt* stmt;
   int retval=sqlite3_prepare_v2(db_->ptr, query.c_str(), 
                                 static_cast<int>(query.length()),
                                 &stmt, NULL);
+  sqlite3_bind_text(stmt, 1, id.c_str(),
+                      strlen(id.c_str()), NULL);
+
   if (SQLITE_OK==retval) {
     int ret=sqlite3_step(stmt);
     if (SQLITE_DONE==ret) {
-- 
GitLab