Rev3864, Fix newsfeed sql query with many parameters

2019-04-29 16:36:33 +02:00 · 2019-04-29 16:36:33 +02:00 · 9b274415e0
parent 8dd3a8495b
commit 9b274415e0
4 changed files with 17 additions and 13 deletions
--- a/plugins/Newsfeed/NewsfeedPlugin.py
+++ b/plugins/Newsfeed/NewsfeedPlugin.py
@ -4,6 +4,7 @@ import re
 from Plugin import PluginManager
 from Db import DbQuery
 from Debug import Debug
+from util import helper


@PluginManager.registerTo("UiWebsocket")
@ -66,14 +67,14 @@ class UiWebsocketPlugin(object):
                    query = " UNION ".join(query_parts)

                    if ":params" in query:
-                        query = query.replace(":params", ",".join(["?"] * len(params)))
-                        res = site.storage.query(query + " ORDER BY date_added DESC LIMIT %s" % limit, params * query_raw.count(":params"))
-                    else:
-                        res = site.storage.query(query + " ORDER BY date_added DESC LIMIT %s" % limit)
+                        query_params = map(helper.sqlquote, params)
+                        query = query.replace(":params", ",".join(query_params))
+
+                    res = site.storage.query(query + " ORDER BY date_added DESC LIMIT %s" % limit)

                except Exception as err:  # Log error
                    self.log.error("%s feed query %s error: %s" % (address, name, Debug.formatException(err)))
-                    stats.append({"site": site.address, "feed_name": name, "error": str(err), "query": query})
+                    stats.append({"site": site.address, "feed_name": name, "error": str(err)})
                    continue

                for row in res:
--- a/src/Config.py
+++ b/src/Config.py
@ -13,7 +13,7 @@ class Config(object):

    def __init__(self, argv):
        self.version = "0.6.5"
-        self.rev = 3863
+        self.rev = 3864
        self.argv = argv
        self.action = None
        self.pending_changes = {}
--- a/src/Db/DbCursor.py
+++ b/src/Db/DbCursor.py
@ -1,5 +1,7 @@
 import time
 import re
+from util import helper
+

 # Special sqlite cursor

@ -12,12 +14,6 @@ class DbCursor:
        self.cursor = conn.cursor()
        self.logging = False

-    def quoteValue(self, value):
-        if type(value) is int:
-            return str(value)
-        else:
-            return "'%s'" % value.replace("'", "''")
-
    def execute(self, query, params=None):
        self.db.last_query_time = time.time()
        if isinstance(params, dict) and "?" in query:  # Make easier select and insert by allowing dict params
@ -35,7 +31,7 @@ class DbCursor:
                            operator = "IN"
                        if len(value) > 100:
                            # Embed values in query to avoid "too many SQL variables" error
-                            query_values = ",".join(map(self.quoteValue, value))
+                            query_values = ",".join(map(helper.sqlquote, value))
                        else:
                            query_values = ",".join(["?"] * len(value))
                            values += value
--- a/src/util/helper.py
+++ b/src/util/helper.py
@ -72,6 +72,13 @@ def getFreeSpace():
    return free_space


+def sqlquote(value):
+    if type(value) is int:
+        return str(value)
+    else:
+        return "'%s'" % value.replace("'", "''")
+
+
 def shellquote(*args):
    if len(args) == 1:
        return '"%s"' % args[0].replace('"', "")