From 99b0b4f5b8d912afe62e88301628ffc7540c5f83 Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Tue, 9 Jul 2019 09:34:19 -0500 Subject: [PATCH] Fix escaping for materialized view SQL --- src/invidious/users.cr | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/invidious/users.cr b/src/invidious/users.cr index c988c0c4..1b5d34c6 100644 --- a/src/invidious/users.cr +++ b/src/invidious/users.cr @@ -1,7 +1,7 @@ require "crypto/bcrypt/password" # Materialized views may not be defined using bound parameters (`$1` as used elsewhere) -MATERIALIZED_VIEW_SQL = ->(email : String) { "SELECT cv.* FROM channel_videos cv WHERE EXISTS (SELECT subscriptions FROM users u WHERE cv.ucid = ANY (u.subscriptions) AND u.email = E'#{email.gsub("'", "\\'")}') ORDER BY published DESC" } +MATERIALIZED_VIEW_SQL = ->(email : String) { "SELECT cv.* FROM channel_videos cv WHERE EXISTS (SELECT subscriptions FROM users u WHERE cv.ucid = ANY (u.subscriptions) AND u.email = E'#{email.gsub({'\'' => "\\'", '\\' => "\\\\"})}') ORDER BY published DESC" } struct User module PreferencesConverter