From 82d07eaaf40582c17401cc083571042437408bfd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus.hakestad@usit.uio.no>
Date: Wed, 14 Apr 2021 17:55:44 +0200
Subject: [PATCH] Fix postgres query for search

---
 honeypot/store/postgres.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/honeypot/store/postgres.go b/honeypot/store/postgres.go
index 88a2b2c..756aea8 100644
--- a/honeypot/store/postgres.go
+++ b/honeypot/store/postgres.go
@@ -161,6 +161,7 @@ func (s *PostgresStore) statsTotal(limit int) ([]StatsResult, error) {
 
 func (s *PostgresStore) Query(query AttemptQuery) ([]models.LoginAttempt, error) {
 	var stmt string
+	queryString := query.Query
 
 	switch query.QueryType {
 	case AttemptQueryTypeIP:
@@ -168,15 +169,17 @@ func (s *PostgresStore) Query(query AttemptQuery) ([]models.LoginAttempt, error)
 					FROM login_attempts WHERE remote_ip = $1`
 	case AttemptQueryTypePassword:
 		stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
-					FROM login_attempts WHERE password like '%$1%'`
+					FROM login_attempts WHERE password like $1`
+		queryString = fmt.Sprintf("%%%s%%", queryString)
 	case AttemptQueryTypeUsername:
 		stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
-					FROM login_attempts WHERE username like '%$1%'`
+					FROM login_attempts WHERE username like $1`
+		queryString = fmt.Sprintf("%%%s%%", queryString)
 	default:
 		return nil, fmt.Errorf("Invalid query type")
 	}
 
-	rows, err := s.db.Query(stmt, query.Query)
+	rows, err := s.db.Query(stmt, queryString)
 	if err != nil {
 		return nil, fmt.Errorf("Unable to query database: %w", err)
 	}