sikebe-demo · SIkebe · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025 · Copilot
diff --git a/src/RazorPagesProject/Program.cs b/src/RazorPagesProject/Program.cs
@@ -1,3 +1,4 @@
+using System;
 using System.Net.Http.Headers;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Localization;
@@ -47,6 +48,7 @@
 });
 
 builder.Services.AddScoped<IQuoteService, QuoteService>();
+builder.Services.AddScoped<IMessageSearchService, MessageSearchService>();
 
 var app = builder.Build();
 
@@ -72,6 +74,16 @@
 app.UseRouting();
 app.UseAuthorization();
 app.MapRazorPages();
+app.MapGet("/messages/filter", async (string? term, IMessageSearchService searchService) =>
+{
+    if (string.IsNullOrWhiteSpace(term))
+    {
+        return Results.Json(Array.Empty<Message>());
+    }
+
+    var results = await searchService.SearchAsync(term);
+    return Results.Json(results);
+});
 app.Run();
 
 static void SeedDatabase(WebApplication app)

diff --git a/src/RazorPagesProject/Services/IMessageSearchService.cs b/src/RazorPagesProject/Services/IMessageSearchService.cs
@@ -0,0 +1,8 @@
+using RazorPagesProject.Data;
+
+namespace RazorPagesProject.Services;
+
+public interface IMessageSearchService
+{
+    Task<IReadOnlyList<Message>> SearchAsync(string term);
+}
diff --git a/src/RazorPagesProject/Services/MessageSearchService.cs b/src/RazorPagesProject/Services/MessageSearchService.cs
@@ -0,0 +1,30 @@
+using System;
+using Microsoft.EntityFrameworkCore;
+using RazorPagesProject.Data;
+
+namespace RazorPagesProject.Services;
+
+public class MessageSearchService : IMessageSearchService
+{
+    private readonly ApplicationDbContext dbContext;
+
+    public MessageSearchService(ApplicationDbContext dbContext)
+    {
+        this.dbContext = dbContext;
+    }
+
+    public async Task<IReadOnlyList<Message>> SearchAsync(string term)
+    {
+        if (string.IsNullOrWhiteSpace(term))
+        {
+            return Array.Empty<Message>();
+        }
+
+        var sql = $"SELECT Id, Text FROM Messages WHERE Text LIKE '%{term}%'";
+
+        return await dbContext.Messages
+            .FromSqlRaw(sql)
-        var sql = $"SELECT Id, Text FROM Messages WHERE Text LIKE '%{term}%'";
-
-        return await dbContext.Messages
-            .FromSqlRaw(sql)
+        // Use parameterized query with EF.Functions.Like to prevent SQL injection
+        return await dbContext.Messages
+            .Where(m => EF.Functions.Like(m.Text, $"%{term}%"))
-        var sql = $"SELECT Id, Text FROM Messages WHERE Text LIKE '%{term}%'";
-
-        return await dbContext.Messages
-            .FromSqlRaw(sql)
+        // Use parameterized query with EF.Functions.Like to prevent SQL injection
+        return await dbContext.Messages
+            .Where(m => EF.Functions.Like(m.Text, $"%{term}%"))
+            .AsNoTracking()
+            .ToListAsync();
+    }
+}