From 21ba8267f1bc5f032e5fc77af2c17c6ecfcaacb7 Mon Sep 17 00:00:00 2001
From: bain <bain@bain.cz>
Date: Tue, 29 Aug 2023 16:30:47 +0200
Subject: [PATCH] change view sql query construction

---
 view/app.py | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/view/app.py b/view/app.py
index 4f493db..51ebe74 100644
--- a/view/app.py
+++ b/view/app.py
@@ -69,22 +69,27 @@ def index():
     selected_feeds = request.args.getlist("feeds[]")
 
     sql_select = "SELECT * FROM diffs "
+    sql_select_args = []
     sql_count = "SELECT count(*) FROM diffs "
+    sql_count_args = []
 
     if query:
-        sql_part_query = f"JOIN (SELECT rowid FROM diffs_fts({query})) filter ON filter.rowid = diffs.diff_id "
+        sql_part_query = "JOIN (SELECT rowid FROM diffs_fts(?)) filter ON filter.rowid = diffs.diff_id "
         sql_select = sql_select + sql_part_query
+        sql_select_args.append(query)
         sql_count = sql_count + sql_part_query
+        sql_count_args.append(query)
 
     if selected_feeds:
-        feeds = str(selected_feeds).strip("[]")
-        sql_part_feeds = f"WHERE feed_name in ({feeds}) "
+        sql_part_feeds = f"WHERE feed_name in ({','.join(['?' for _ in range(len(selected_feeds))])}) "
         sql_select = sql_select + sql_part_feeds
+        sql_select_args += selected_feeds
         sql_count = sql_count + sql_part_feeds
+        sql_count_args += selected_feeds
 
     # flask-paginate
     page = request.args.get(get_page_parameter(), type=int, default=1)
-    db.execute(sql_count)
+    db.execute(sql_count, sql_count_args)
     diff_count = db.fetchall()[0][0]
 
     pagination = Pagination(
@@ -94,10 +99,11 @@ def index():
     per_page = pagination.per_page
 
     # Create and execute final query after getting page info
-    sql_part_pagination = f"ORDER BY diff_id DESC LIMIT {per_page} OFFSET {page_skip} "
+    sql_part_pagination = "ORDER BY diff_id DESC LIMIT ? OFFSET ? "
     sql_select = sql_select + sql_part_pagination
+    sql_select_args += [per_page, page_skip]
     print(sql_select)
-    db.execute(sql_select)
+    db.execute(sql_select, sql_select_args)
 
     # This would be a cleaner way to do it, but I have no clue how to make it work. Giving multiple feeds to the query is just seemingly impossible in sqlite.
     # What about switching to Elasticsearch? :)