SQL Injection Vulnerability

Lines 21 to 26 in 0fc11f3

    
           	// Get rows user is allowed to see 
        
           	stmt := fmt.Sprintf(` 
        
           	SELECT id, owner, visibility FROM questions 
        
           	WHERE owner='%s' OR visibility>=%d 
        
           	`, userEmail, public) 
        
           	rows, err := db.Query(stmt)

Queries in the get.go are built using Sprintf. This allows a SQL Injection attack using a string like the following for the owner variable:

'DROP TABLE questions;'

Fix is to replace Sprintf with db.Prepare which accepts placeholders and fills them safely.

You may be able to make this safe with db.Query(), but just use placeholders for those conditions. I think the use case for Prepare() instead of Query() is slightly different.

	// Get rows user is allowed to see
	stmt := fmt.Sprintf(`
	SELECT id, owner, visibility FROM questions
	WHERE owner='%s' OR visibility>=%d
	`, userEmail, public)
	rows, err := db.Query(stmt)