From ba270f85f6ba02c36e50808f34da0579f7745ee1 Mon Sep 17 00:00:00 2001
From: mrbesen <y.g.2@gmx.de>
Date: Sun, 24 Oct 2021 23:10:37 +0200
Subject: [PATCH] escaped some sql

---
 src/main/de/mrbesen/youtubecrawler/DB.java | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/main/de/mrbesen/youtubecrawler/DB.java b/src/main/de/mrbesen/youtubecrawler/DB.java
index 741838d..1f5bbcd 100644
--- a/src/main/de/mrbesen/youtubecrawler/DB.java
+++ b/src/main/de/mrbesen/youtubecrawler/DB.java
@@ -138,7 +138,7 @@ public class DB implements Runnable {
 				for(int i = 0; i < input.size(); i++) {
 					Video v = input.get(i);
 					if(v != null)
-						tostorebuffer.append(",('").append(v.id).append("','").append(v.length).append("','").append(v.created).append("','").append(v.languageCode).append("','").append(v.categorie).append("','").append(v.title).append("','").append(v.channel).append("','").append(v.tags).append("') ");
+						tostorebuffer.append(",('").append(escape(v.id)).append("',").append(v.length).append(",").append(v.created).append(",'").append(escape(v.languageCode)).append("',").append(v.categorie).append(",'").append(escape(v.title)).append("','").append(escape(v.channel)).append("','").append(escape(v.tags)).append("') ");
 				}
 			}
 		}
@@ -157,6 +157,10 @@ public class DB implements Runnable {
 		}
 	}
 
+	private String escape(String e) {
+		return e.replace("'", "\\'");
+	}
+
 	public void updateVideos(List<Video> input) {
 		log.info("Updateing " + input.size() + " videos.");
 		for(Video v : input) {
@@ -167,7 +171,7 @@ public class DB implements Runnable {
 
 	private void updateVideo(Video v) {
 		try {
-			String qu = "UPDATE `videos` SET `length` = '" + v.length + "', `created` = '" + v.created + "', `langcode` = SUBSTR('" + v.languageCode + "', 1, 3) ,`category` = '" + v.categorie + "',`videotitle` = SUBSTR('" + v.title + "',1,100),`channel` = SUBSTR('" + v.channel + "',1,20),`tags` = '" + v.tags.substring(0, v.tags.length() > 40 ? 40 : v.tags.length()) + "' WHERE `id` = '" + v.id + "';";
+			String qu = "UPDATE `videos` SET `length` = " + v.length + ", `created` = " + v.created + ", `langcode` = SUBSTR('" + v.languageCode + "', 1, 3) ,`category` = " + v.categorie + ",`videotitle` = SUBSTR('" + escape(v.title) + "',1,100),`channel` = SUBSTR('" + escape(v.channel) + "',1,20),`tags` = '" + escape(v.tags) + "' WHERE `id` = '" + escape(v.id) + "';";
 			update(qu);
 		} catch(NullPointerException e) {
 
@@ -191,7 +195,7 @@ public class DB implements Runnable {
 	public void removeVideos(LinkedList<Video> vids) {
 		log.info("Delete " + vids.size() + " videos.");
 		for(Video s : vids) {
-			update("DELETE FROM `videos` WHERE `id`='" + s.id + "';");
+			update("DELETE FROM `videos` WHERE `id`='" + escape(s.id) + "';");
 		}
 	}
 
@@ -280,7 +284,7 @@ public class DB implements Runnable {
 			log.info("store Temp to buffer: " + strings.size());
 			writetempbuffercurrentsize += strings.size();
 			for(String s : strings) {
-				totempbuffer.append(", ('").append(s).append("')");
+				totempbuffer.append(", ('").append(escape(s)).append("')");
 			}
 		}
 		if(writetempbuffercurrentsize > writebuffersize || force) {