From 9fb29bda4a819d6e51c1fd5b5f698a535d74f992 Mon Sep 17 00:00:00 2001
From: pwn <pwn@pwn.ru>
Date: Sun, 14 Dec 2025 10:45:55 +0300
Subject: [PATCH] FIXED SQL INJECTION

---
 rodchenko/app/utils/db.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rodchenko/app/utils/db.py b/rodchenko/app/utils/db.py
index a5d9964..5afc8fa 100755
--- a/rodchenko/app/utils/db.py
+++ b/rodchenko/app/utils/db.py
@@ -406,8 +406,10 @@ def search_artworks(query: str) -> List[Dict]:
     conn = get_db()
     c = conn.cursor()
     try:
-        search_query = f"SELECT * FROM artworks WHERE title LIKE '%{query}%' OR data LIKE '%{query}%'"
-        c.execute(search_query)
+        c.execute(
+            "SELECT * FROM artworks WHERE title LIKE ? OR data LIKE ?",
+            (f"%{query}%", f"%{query}%")
+        )
         results_data = c.fetchall()
         return [
             {