honeyDueAPI/internal/middleware/sanitize.go

package middleware

import "strings"

// SanitizeSortColumn validates a user-supplied sort column against an allowlist.
// Returns defaultCol if the input is empty or not in the allowlist.
// This prevents SQL injection via ORDER BY clauses.
func SanitizeSortColumn(input string, allowedCols []string, defaultCol string) string {
	input = strings.TrimSpace(input)
	if input == "" {
		return defaultCol
	}
	for _, col := range allowedCols {
		if strings.EqualFold(input, col) {
			return col
		}
	}
	return defaultCol
}