From 7bef78e10f97352246aaa3ea511a1e44b8e9c47c Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Mon, 29 Apr 2019 16:44:13 +0200
Subject: [PATCH] Fix newsfeed sql query with many parameters

---
 plugins/Newsfeed/NewsfeedPlugin.py | 11 ++++++-----
 src/Db/DbCursor.py                 |  4 +++-
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/plugins/Newsfeed/NewsfeedPlugin.py b/plugins/Newsfeed/NewsfeedPlugin.py
index 10acd7cc..461401ac 100644
--- a/plugins/Newsfeed/NewsfeedPlugin.py
+++ b/plugins/Newsfeed/NewsfeedPlugin.py
@@ -4,6 +4,7 @@ import re
 from Plugin import PluginManager
 from Db.DbQuery import DbQuery
 from Debug import Debug
+from util import helper
 
 
 @PluginManager.registerTo("UiWebsocket")
@@ -66,14 +67,14 @@ class UiWebsocketPlugin(object):
                     query = " UNION ".join(query_parts)
 
                     if ":params" in query:
-                        query = query.replace(":params", ",".join(["?"] * len(params)))
-                        res = site.storage.query(query + " ORDER BY date_added DESC LIMIT %s" % limit, params * query_raw.count(":params"))
-                    else:
-                        res = site.storage.query(query + " ORDER BY date_added DESC LIMIT %s" % limit)
+                        query_params = map(helper.sqlquote, params)
+                        query = query.replace(":params", ",".join(query_params))
+
+                    res = site.storage.query(query + " ORDER BY date_added DESC LIMIT %s" % limit)
 
                 except Exception as err:  # Log error
                     self.log.error("%s feed query %s error: %s" % (address, name, Debug.formatException(err)))
-                    stats.append({"site": site.address, "feed_name": name, "error": str(err), "query": query})
+                    stats.append({"site": site.address, "feed_name": name, "error": str(err)})
                     continue
 
                 for row in res:
diff --git a/src/Db/DbCursor.py b/src/Db/DbCursor.py
index 36987c9a..274782ec 100644
--- a/src/Db/DbCursor.py
+++ b/src/Db/DbCursor.py
@@ -1,6 +1,8 @@
 import time
 import re
 import gevent
+from util import helper
+
 
 # Special sqlite cursor
 
@@ -36,7 +38,7 @@ class DbCursor:
                             operator = "IN"
                         if len(value) > 100:
                             # Embed values in query to avoid "too many SQL variables" error
-                            query_values = ",".join(map(self.quoteValue, value))
+                            query_values = ",".join(map(helper.sqlquote, value))
                         else:
                             query_values = ",".join(["?"] * len(value))
                             values += value