db: use prepared statements rather than crafted argument list

This commit is contained in:
Samantaz Fox 2022-01-26 17:30:54 +01:00
parent ce4a52325b
commit 67dd2b419a
No known key found for this signature in database
GPG key ID: F42821059186176E

View file

@ -77,14 +77,13 @@ module Invidious::Database::Channels
def select(ids : Array(String)) : Array(InvidiousChannel)? def select(ids : Array(String)) : Array(InvidiousChannel)?
return [] of InvidiousChannel if ids.empty? return [] of InvidiousChannel if ids.empty?
values = ids.map { |id| %(('#{id}')) }.join(",")
request = <<-SQL request = <<-SQL
SELECT * FROM channels SELECT * FROM channels
WHERE id = ANY(VALUES #{values}) WHERE id = ANY($1)
SQL SQL
return PG_DB.query_all(request, as: InvidiousChannel) return PG_DB.query_all(request, ids, as: InvidiousChannel)
end end
end end
@ -127,11 +126,11 @@ module Invidious::Database::ChannelVideos
request = <<-SQL request = <<-SQL
SELECT * FROM channel_videos SELECT * FROM channel_videos
WHERE id IN (#{arg_array(ids)}) WHERE id = ANY($1)
ORDER BY published DESC ORDER BY published DESC
SQL SQL
return PG_DB.query_all(request, args: ids, as: ChannelVideo) return PG_DB.query_all(request, ids, as: ChannelVideo)
end end
def select_notfications(ucid : String, since : Time) : Array(ChannelVideo) def select_notfications(ucid : String, since : Time) : Array(ChannelVideo)