always use bound params

1 files changed, 15 insertions, 24 deletions

diff --git a/main.go b/main.go
index feee0a6..3bec1b9 100644
--- a/main.go
+++ b/main.go
@@ -73,13 +73,8 @@ func add(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.String(), http.StatusInternalServerError)
 		return
 	}
-	sql := "INSERT INTO `song` (`pid`,`yid`,`title`,`user`,`order`) VALUES(%d,'%s','%s','%s','%d')"
-	sql = fmt.Sprintf(sql, pid,
-			db.Escape(q.Get("yid")),
-			db.Escape(q.Get("title")),
-			db.Escape(q.Get("user")),
-			maxOrder + 1)
-	err = execute(sql)
+	_, err = prepare("INSERT INTO `song` (`pid`,`yid`,`title`,`user`,`order`) VALUES(?, ?, ?, ?, ?)",
+				pid, q.Get("yid"), q.Get("title"), q.Get("user"), maxOrder + 1)
 	if err != nil {
 		db.Rollback()
 		http.Error(w, err.String(), http.StatusInternalServerError)
@@ -111,25 +106,23 @@ func remove(w http.ResponseWriter, r *http.Request) {
 	}
 
 	order, err := queryInt("SELECT `order` FROM `song` WHERE `yid` = ? AND `pid` = ?",
-		q.Get("yid"), pid)
+			q.Get("yid"), pid)
 	if err != nil {
 		db.Rollback()
 		http.Error(w, err.String(), http.StatusInternalServerError)
 		return
 	}
 
-	sql := "DELETE FROM `song` WHERE `pid` = %d AND yid = '%s'"
-	sql = fmt.Sprintf(sql, pid, db.Escape(q.Get("yid")))
-	err = execute(sql)
+	_, err = prepare("DELETE FROM `song` WHERE `pid` = ? AND yid = ?",
+			pid, q.Get("yid"))
 	if err != nil {
 		db.Rollback()
 		http.Error(w, err.String(), http.StatusInternalServerError)
 		return
 	}
 
-	sql = "UPDATE `song` SET `order` = `order`-1 WHERE `order` > %d AND `pid` = %d"
-	sql = fmt.Sprintf(sql, order, pid)
-	err = execute(sql)
+	_, err = prepare("UPDATE `song` SET `order` = `order`-1 WHERE `order` > ? AND `pid` = ?",
+			order, pid)
 	if err != nil {
 		db.Rollback()
 		http.Error(w, err.String(), http.StatusInternalServerError)
@@ -167,7 +160,7 @@ func move(w http.ResponseWriter, r *http.Request) {
 	}
 
 	order, err := queryInt("SELECT `order` FROM `song` WHERE `yid` = ? AND `pid` = ?",
-		q.Get("yid"), pid)
+			q.Get("yid"), pid)
 	if err != nil {
 		db.Rollback()
 		http.Error(w, err.String(), http.StatusInternalServerError)
@@ -184,22 +177,20 @@ func move(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	sql := "UPDATE `song` SET `order` = %d WHERE `order` = %d AND pid = %d"
-	sql = fmt.Sprintf(sql, order, newOrder, pid)
-	err = execute(sql)
+	query, err := prepare("UPDATE `song` SET `order` = ? WHERE `order` = ? AND `pid` = ?",
+			order, newOrder, pid)
 	if err != nil {
 		db.Rollback()
 		http.Error(w, err.String(), http.StatusInternalServerError)
 		return
-	} else if db.AffectedRows != 1 {
+	} else if query.AffectedRows != 1 {
 		db.Rollback()
 		http.Error(w, "invalid direction for this song", http.StatusBadRequest)
 		return
 	}
 	// there are now two songs with that order, so also check yid
-	sql = "UPDATE `song` SET `order` = %d WHERE `order` = %d AND pid = %d AND yid = '%s'"
-	sql = fmt.Sprintf(sql, newOrder, order, pid, q.Get("yid"))
-	err = db.Query(sql)
+	_, err = prepare("UPDATE `song` SET `order` = ? WHERE `order` = ? AND `pid` = ? AND `yid` = ?",
+			newOrder, order, pid, q.Get("yid"))
 	if err != nil {
 		db.Rollback()
 		http.Error(w, err.String(), http.StatusInternalServerError)
@@ -221,8 +212,8 @@ func poll(w http.ResponseWriter, r *http.Request) {
 	timestamp := q.Get("timestamp")
 	if timestamp == "0" {
 		query, err := prepare(
-			"SELECT `yid`,`title`,`user` FROM `playlist` JOIN `song` WHERE `id` = ? ORDER BY `order` ASC",
-			q.Get("pid"))
+				"SELECT `yid`,`title`,`user` FROM `playlist` JOIN `song` WHERE `id` = ? ORDER BY `order` ASC",
+				q.Get("pid"))
 
 		updates := make([]Update, 0, 2)
 		for {