From c961c6db7d149353537f302717adad9e26e4d50a Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Sun, 25 Feb 2024 23:13:01 +0100
Subject: [PATCH] Use proper prepared statement for updateEnclosures

---
 internal/storage/enclosure.go | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/internal/storage/enclosure.go b/internal/storage/enclosure.go
index 8eb1cea4..197ae577 100644
--- a/internal/storage/enclosure.go
+++ b/internal/storage/enclosure.go
@@ -9,6 +9,8 @@ import (
 	"strings"
 
 	"miniflux.app/v2/internal/model"
+
+	"github.com/lib/pq"
 )
 
 // GetEnclosures returns all attachments for the given entry.
@@ -130,11 +132,8 @@ func (s *Storage) updateEnclosures(tx *sql.Tx, entry *model.Entry) error {
 		return nil
 	}
 
-	sqlValues := []any{entry.UserID, entry.ID}
-	sqlPlaceholders := []string{}
-
+	sqlValues := make([]string, len(entry.Enclosures))
 	for _, enclosure := range entry.Enclosures {
-		sqlPlaceholders = append(sqlPlaceholders, fmt.Sprintf(`$%d`, len(sqlValues)+1))
 		sqlValues = append(sqlValues, strings.TrimSpace(enclosure.URL))
 
 		if err := s.createEnclosure(tx, enclosure); err != nil {
@@ -146,12 +145,10 @@ func (s *Storage) updateEnclosures(tx *sql.Tx, entry *model.Entry) error {
 		DELETE FROM
 			enclosures
 		WHERE
-			user_id=$1 AND entry_id=$2 AND url NOT IN (%s)
+			user_id=$1 AND entry_id=$2 AND url <> ALL($3)
 	`
 
-	query = fmt.Sprintf(query, strings.Join(sqlPlaceholders, `,`))
-
-	_, err := tx.Exec(query, sqlValues...)
+	_, err := tx.Exec(query, entry.UserID, entry.ID, pq.Array(sqlValues))
 	if err != nil {
 		return fmt.Errorf(`store: unable to delete old enclosures: %v`, err)
 	}