Fix Sqlight usage to SQL sanitize

soupstoregames · Apr 8, 2024 · 01b2bb2 · 01b2bb2
1 parent 607db07
commit 01b2bb2
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 39 deletions.
diff --git a/src/data/world.gleam b/src/data/world.gleam
@@ -188,26 +188,26 @@ pub fn insert_exit(
 ) -> Result(Nil, Error) {
   use conn <- sqlight.with_connection(conn_string)
 
+  let decoder = dynamic.element(0, dynamic.int)
   let sql =
-    "INSERT INTO `exits` (`room_id`, `direction`, `target_id`) VALUES "
-    <> "("
-    <> int.to_string(room_id)
-    <> ", '"
-    <> dir_to_str(dir)
-    <> "',"
-    <> int.to_string(target_room_id)
-    <> "), "
-    <> "("
-    <> int.to_string(target_room_id)
-    <> ",'"
-    <> dir_to_str(reverse_dir)
-    <> "',"
-    <> int.to_string(room_id)
-    <> ")"
-    <> ";"
+    "INSERT INTO `exits` (`room_id`, `direction`, `target_id`) VALUES (?, ?, ?), (?, ?, ?) RETURNING id;"
 
-  case sqlight.exec(sql, on: conn) {
-    Ok(Nil) -> Ok(Nil)
+  case
+    sqlight.query(
+      sql,
+      on: conn,
+      with: [
+        sqlight.int(room_id),
+        sqlight.text(dir_to_str(dir)),
+        sqlight.int(target_room_id),
+        sqlight.int(target_room_id),
+        sqlight.text(dir_to_str(reverse_dir)),
+        sqlight.int(room_id),
+      ],
+      expecting: decoder,
+    )
+  {
+    Ok(_) -> Ok(Nil)
     Error(sqlight.SqlightError(_code, message, _offset)) -> {
       Error(SqlError(message))
     }
@@ -221,15 +221,18 @@ pub fn update_room_name(
 ) -> Result(Nil, Error) {
   use conn <- sqlight.with_connection(conn_string)
 
-  let sql =
-    "UPDATE `rooms` SET `name` = '"
-    <> name
-    <> "' WHERE id = "
-    <> int.to_string(room_id)
-    <> ";"
+  let decoder = dynamic.element(0, dynamic.int)
+  let sql = "UPDATE `rooms` SET `name` = ? WHERE `id` = ? RETURNING id;"
 
-  case sqlight.exec(sql, on: conn) {
-    Ok(Nil) -> Ok(Nil)
+  case
+    sqlight.query(
+      sql,
+      on: conn,
+      with: [sqlight.text(name), sqlight.int(room_id)],
+      expecting: decoder,
+    )
+  {
+    Ok(_) -> Ok(Nil)
     Error(sqlight.SqlightError(_code, message, _offset)) -> {
       Error(SqlError(message))
     }
@@ -243,15 +246,18 @@ pub fn update_room_description(
 ) -> Result(Nil, Error) {
   use conn <- sqlight.with_connection(conn_string)
 
-  let sql =
-    "UPDATE `rooms` SET `description` = '"
-    <> description
-    <> "' WHERE id = "
-    <> int.to_string(room_id)
-    <> ";"
+  let decoder = dynamic.element(0, dynamic.int)
+  let sql = "UPDATE `rooms` SET `description` = ? WHERE `id` = ? RETURNING id;"
 
-  case sqlight.exec(sql, on: conn) {
-    Ok(Nil) -> Ok(Nil)
+  case
+    sqlight.query(
+      sql,
+      on: conn,
+      with: [sqlight.text(description), sqlight.int(room_id)],
+      expecting: decoder,
+    )
+  {
+    Ok(_) -> Ok(Nil)
     Error(sqlight.SqlightError(_code, message, _offset)) -> {
       Error(SqlError(message))
     }

diff --git a/src/simulation.gleam b/src/simulation.gleam
@@ -835,11 +835,8 @@ fn list_entities(
   |> list.filter(fn(entity) { entity.id != viewer_id })
   |> list.fold(#([], []), fn(acc, entity) {
     let sentient_query =
-      entity.data
-      |> dataentity.query(dataentity.QuerySentient(False))
-    let name_query =
-      entity.data
-      |> dataentity.query(dataentity.QueryName(None))
+      dataentity.query(entity.data, dataentity.QuerySentient(False))
+    let name_query = dataentity.query(entity.data, dataentity.QueryName(None))
 
     case name_query, sentient_query {
       dataentity.QueryName(Some(name)), dataentity.QuerySentient(True) -> #(