Description
Currently, the search endpoint query construction appears to use unparameterized string building for full-text search matching on message content. This presents a high security risk of SQL injection (SQLi) attacks.
Proposed Refactoring
- Replace raw string formatting with parameterized binding queries.
- Use ORM query builders (e.g. Prisma / Mongoose / Sequelize depending on backend stack) or parameterize raw PostgreSQL/MySQL queries directly.
Description
Currently, the search endpoint query construction appears to use unparameterized string building for full-text search matching on message content. This presents a high security risk of SQL injection (SQLi) attacks.
Proposed Refactoring