From 8d66493c016853937c4595b4c380ec03c5aa1b3c Mon Sep 17 00:00:00 2001
From: Omar Roth <omarroth@hotmail.com>
Date: Mon, 2 Apr 2018 18:38:03 -0500
Subject: [PATCH] Remove string interpolation from SQL queries

---
 src/helpers.cr   |  2 --
 src/invidious.cr | 12 ++++++------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/src/helpers.cr b/src/helpers.cr
index 47652163..b0c61d27 100644
--- a/src/helpers.cr
+++ b/src/helpers.cr
@@ -553,8 +553,6 @@ def fetch_channel(id, client, db)
     db.exec("UPDATE users SET notifications = notifications || $1 \
     WHERE updated < $2 AND $3 = ANY(subscriptions) AND $1 <> ALL(notifications)", video_id, published, ucid)
 
-    # UPDATE users SET notifications = notifications || ARRAY['Os9Rypn2rEQ'] WHERE updated < '2018-03-24 20:48:46' AND 'UCSc16oMxxlcJSb9SXkjwMjA' = ANY(subscriptions) AND 'Os9Rypn2rEQ' <> ALL (notifications);
-
     # TODO: Update record on conflict
     db.exec("INSERT INTO channel_videos VALUES (#{args})\
       ON CONFLICT (id) DO NOTHING", video_array)
diff --git a/src/invidious.cr b/src/invidious.cr
index 2f7c3c89..55fe2334 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -127,9 +127,9 @@ channel_threads.times do |i|
   spawn do
     loop do
       query = "SELECT id FROM channels ORDER BY updated \
-      LIMIT (SELECT count(*)/#{channel_threads} FROM channels) \
-      OFFSET (SELECT count(*)*#{i}/#{channel_threads} FROM channels)"
-      PG_DB.query(query) do |rs|
+      LIMIT (SELECT count(*)/$2 FROM channels) \
+      OFFSET (SELECT count(*)*$1/$2 FROM channels)"
+      PG_DB.query(query, i, channel_threads) do |rs|
         rs.each do
           client = get_client(youtube_pool)
           id = rs.read(String)
@@ -590,10 +590,10 @@ get "/feed/subscriptions" do |env|
     user = get_user(sid, client, headers, PG_DB)
     youtube_pool << client
 
-    args = arg_array(user.subscriptions)
+    args = arg_array(user.subscriptions, 3)
     offset = (page - 1) * max_results
-    videos = PG_DB.query_all("SELECT * FROM channel_videos WHERE ucid IN (#{args})\
-    ORDER BY published DESC LIMIT #{max_results} OFFSET #{offset}", user.subscriptions, as: ChannelVideo)
+    videos = PG_DB.query_all("SELECT * FROM channel_videos WHERE ucid IN (#{args}) \
+    ORDER BY published DESC LIMIT $1 OFFSET $2", [max_results, offset] + user.subscriptions, as: ChannelVideo)
 
     env.set "notifications", 0