From 67dd2b419a28510e6d89991e86e5d0aa97cac273 Mon Sep 17 00:00:00 2001 From: Samantaz Fox Date: Wed, 26 Jan 2022 17:30:54 +0100 Subject: [PATCH] db: use prepared statements rather than crafted argument list --- src/invidious/database/channels.cr | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/invidious/database/channels.cr b/src/invidious/database/channels.cr index e35b981d..df44e485 100644 --- a/src/invidious/database/channels.cr +++ b/src/invidious/database/channels.cr @@ -77,14 +77,13 @@ module Invidious::Database::Channels def select(ids : Array(String)) : Array(InvidiousChannel)? return [] of InvidiousChannel if ids.empty? - values = ids.map { |id| %(('#{id}')) }.join(",") request = <<-SQL SELECT * FROM channels - WHERE id = ANY(VALUES #{values}) + WHERE id = ANY($1) SQL - return PG_DB.query_all(request, as: InvidiousChannel) + return PG_DB.query_all(request, ids, as: InvidiousChannel) end end @@ -127,11 +126,11 @@ module Invidious::Database::ChannelVideos request = <<-SQL SELECT * FROM channel_videos - WHERE id IN (#{arg_array(ids)}) + WHERE id = ANY($1) ORDER BY published DESC SQL - return PG_DB.query_all(request, args: ids, as: ChannelVideo) + return PG_DB.query_all(request, ids, as: ChannelVideo) end def select_notfications(ucid : String, since : Time) : Array(ChannelVideo)