Rev3864, Fix newsfeed sql query with many parameters

HelloZeroNet · Apr 29, 2019 · 9b27441 · 9b27441
1 parent 8dd3a84
commit 9b27441
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 13 deletions.
diff --git a/plugins/Newsfeed/NewsfeedPlugin.py b/plugins/Newsfeed/NewsfeedPlugin.py
@@ -4,6 +4,7 @@
 from Plugin import PluginManager
 from Db import DbQuery
 from Debug import Debug
+from util import helper
 
 
 @PluginManager.registerTo("UiWebsocket")
@@ -66,14 +67,14 @@ def actionFeedQuery(self, to, limit=10, day_limit=3):
                     query = " UNION ".join(query_parts)
 
                     if ":params" in query:
-                        query = query.replace(":params", ",".join(["?"] * len(params)))
-                        res = site.storage.query(query + " ORDER BY date_added DESC LIMIT %s" % limit, params * query_raw.count(":params"))
-                    else:
-                        res = site.storage.query(query + " ORDER BY date_added DESC LIMIT %s" % limit)
+                        query_params = map(helper.sqlquote, params)
+                        query = query.replace(":params", ",".join(query_params))
+
+                    res = site.storage.query(query + " ORDER BY date_added DESC LIMIT %s" % limit)
 
                 except Exception as err:  # Log error
                     self.log.error("%s feed query %s error: %s" % (address, name, Debug.formatException(err)))
-                    stats.append({"site": site.address, "feed_name": name, "error": str(err), "query": query})
+                    stats.append({"site": site.address, "feed_name": name, "error": str(err)})
                     continue
 
                 for row in res:

diff --git a/src/Config.py b/src/Config.py
@@ -13,7 +13,7 @@ class Config(object):
 
     def __init__(self, argv):
         self.version = "0.6.5"
-        self.rev = 3863
+        self.rev = 3864
         self.argv = argv
         self.action = None
         self.pending_changes = {}

diff --git a/src/Db/DbCursor.py b/src/Db/DbCursor.py
@@ -1,5 +1,7 @@
 import time
 import re
+from util import helper
+
 
 # Special sqlite cursor
 
@@ -12,12 +14,6 @@ def __init__(self, conn, db):
         self.cursor = conn.cursor()
         self.logging = False
 
-    def quoteValue(self, value):
-        if type(value) is int:
-            return str(value)
-        else:
-            return "'%s'" % value.replace("'", "''")
-
     def execute(self, query, params=None):
         self.db.last_query_time = time.time()
         if isinstance(params, dict) and "?" in query:  # Make easier select and insert by allowing dict params
@@ -35,7 +31,7 @@ def execute(self, query, params=None):
                             operator = "IN"
                         if len(value) > 100:
                             # Embed values in query to avoid "too many SQL variables" error
-                            query_values = ",".join(map(self.quoteValue, value))
+                            query_values = ",".join(map(helper.sqlquote, value))
                         else:
                             query_values = ",".join(["?"] * len(value))
                             values += value

diff --git a/src/util/helper.py b/src/util/helper.py
@@ -72,6 +72,13 @@ def getFreeSpace():
     return free_space
 
 
+def sqlquote(value):
+    if type(value) is int:
+        return str(value)
+    else:
+        return "'%s'" % value.replace("'", "''")
+
+
 def shellquote(*args):
     if len(args) == 1:
         return '"%s"' % args[0].replace('"', "")