CONTEXT
I created an app which handles todos. I want to be able to delete todos based on an id I get from the url
import vweb
struct App {
vweb.Context
}
[post]
["/todo/:id/delete"]
pub fn (mut app App) delete_todo_response(id string) vweb.Result {
db := sqlite.open("dist/database.db") or {
return app.redirect("/todo")
}
db.exec_none('DELETE FROM todo WHERE id = $id') // id is not escaped
}
fn main() {
vweb.run<App>(80)
}
PROBLEM
As you can see, the id is not escaped. I feel this is not the ideal and secure way to do this.
QUESTIONS
- How one can escape values using
exec(),exec_one()orexec_none()? - Is the ORM capable of deleting a record for me based on a struct, like this is possible with select and insert?
As far as I know, there is no standard way to escape sqlite queries. However, you can indeed use the ORM. If you declare your Todo struct, this should do :