FIXED SQL INJECTION

rodchenko/app/utils/db.py

@@ -406,8 +406,10 @@ def search_artworks(query: str) -> List[Dict]:
     conn = get_db()
     c = conn.cursor()
     try:
-        search_query = f"SELECT * FROM artworks WHERE title LIKE '%{query}%' OR data LIKE '%{query}%'"
-        c.execute(search_query)
+        c.execute(
+            "SELECT * FROM artworks WHERE title LIKE ? OR data LIKE ?",
+            (f"%{query}%", f"%{query}%")
+        )
         results_data = c.fetchall()
         return [
             {