From 90329ebae3a03fddb73f25b8560868bb8e42af2a Mon Sep 17 00:00:00 2001
From: Dessalines <tyhou13@gmx.com>
Date: Thu, 7 Feb 2019 08:32:06 -0800
Subject: [PATCH] Use queryparams for server queries. Fixes #44.

---
 server/service/src/main.rs | 38 +++++++++++++++-----------------------
 1 file changed, 15 insertions(+), 23 deletions(-)

diff --git a/server/service/src/main.rs b/server/service/src/main.rs
index bbda70f..0dcfc25 100644
--- a/server/service/src/main.rs
+++ b/server/service/src/main.rs
@@ -10,7 +10,7 @@ use actix_web::{fs, fs::NamedFile, http, server, App, HttpRequest, HttpResponse,
 use std::env;
 use std::ops::Deref;
 
-use rusqlite::{Connection, NO_PARAMS};
+use rusqlite::{Connection};
 
 fn main() {
   println!("Access me at http://localhost:8080");
@@ -87,18 +87,15 @@ struct Torrent {
 }
 
 fn torrent_search(query: &str, size: usize, offset: usize) -> Vec<Torrent> {
-  let stmt_str = format!(
-    "select * from torrents where name like '%{}%' limit {} offset {}",
-    query.replace(" ", "%").replace("\'","''"),
-    size,
-    offset
-  );
-
+  let stmt_str = "select * from torrents where name like '%' || ?1 || '%' limit ?2 offset ?3";
   let conn = Connection::open(torrents_db_file()).unwrap();
-
   let mut stmt = conn.prepare(&stmt_str).unwrap();
   let torrent_iter = stmt
-    .query_map(NO_PARAMS, |row| Torrent {
+    .query_map(&[
+      query.replace(" ", "%"),
+      size.to_string(),
+      offset.to_string(),
+    ], |row| Torrent {
       infohash: row.get(0),
       name: row.get(1),
       size_bytes: row.get(2),
@@ -107,8 +104,7 @@ fn torrent_search(query: &str, size: usize, offset: usize) -> Vec<Torrent> {
       leechers: row.get(5),
       completed: row.get(6),
       scraped_date: row.get(7),
-    })
-    .unwrap();
+    }).unwrap();
 
   let mut torrents = Vec::new();
   for torrent in torrent_iter {
@@ -131,18 +127,15 @@ struct File {
 }
 
 fn torrent_file_search(query: &str, size: usize, offset: usize) -> Vec<File> {
-  let stmt_str = format!(
-    "select * from files where path like '%{}%' limit {} offset {}",
-    query.replace(" ", "%").replace("\'","''"),
-    size,
-    offset
-  );
-
+  let stmt_str = "select * from files where path like '%' || ?1 || '%' limit ?2 offset ?3";
   let conn = Connection::open(torrents_db_file()).unwrap();
-
   let mut stmt = conn.prepare(&stmt_str).unwrap();
   let file_iter = stmt
-    .query_map(NO_PARAMS, |row| File {
+    .query_map(&[
+      query.replace(" ", "%"),
+      size.to_string(),
+      offset.to_string(),
+    ], |row| File {
       infohash: row.get(0),
       index_: row.get(1),
       path: row.get(2),
@@ -152,8 +145,7 @@ fn torrent_file_search(query: &str, size: usize, offset: usize) -> Vec<File> {
       leechers: row.get(6),
       completed: row.get(7),
       scraped_date: row.get(8),
-    })
-    .unwrap();
+    }).unwrap();
 
   let mut files = Vec::new();
   for file in file_iter {