From 0e07967dab4b3080673db7d758812c8735f722a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Erbsh=C3=A4u=C3=9Fer?= <tobias@tesoft.dev>
Date: Sun, 24 May 2026 09:22:53 +0200
Subject: [PATCH] use ? placeholders consistently
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Tobias Erbshäußer <tobias@tesoft.dev>
---
 backend/db.go | 43 +++++++++++++++++++++++++------------------
 1 file changed, 25 insertions(+), 18 deletions(-)

diff --git a/backend/db.go b/backend/db.go
index e98d658..be189f5 100644
--- a/backend/db.go
+++ b/backend/db.go
@@ -7,7 +7,6 @@ import (
 	"errors"
 	"log"
 	"slices"
-	"strconv"
 	"strings"
 	"time"
 
@@ -231,19 +230,23 @@ func (db *Database) GetBlogArticles(showAll bool, offset int, limit int, tags []
 }
 
 func (db *Database) GetBlogArticle(showAll bool, id int64) (*Article, error) {
-	filter := "WHERE blog_article.id = ?"
+	filter := " WHERE blog_article.id = ?"
+	filterArgs := make([]interface{}, 0)
+	filterArgs = append(filterArgs, id)
+
 	if !showAll {
-		filter = filter + " AND status = " + strconv.Itoa(ArticleStatusPublished)
+		filter = filter + " AND status = ?"
+		filterArgs = append(filterArgs, ArticleStatusPublished)
 	}
 
-	statement := "SELECT blog_article.status, blog_article.title, blog_article.date, blog_article.modification_date, blog_article.content, blog_tag.name" +
-		" FROM blog_article" +
-		" LEFT JOIN blog_article_to_tag ON blog_article.id = blog_article_to_tag.article_id" +
-		" LEFT JOIN blog_tag ON blog_article_to_tag.tag_id = blog_tag.id" +
-		" " + filter +
-		" ORDER BY blog_tag.name"
-
-	rows, err := db.db.Query(statement, id)
+	rows, err := db.db.Query(
+		"SELECT blog_article.status, blog_article.title, blog_article.date, blog_article.modification_date, blog_article.content, blog_tag.name"+
+			" FROM blog_article"+
+			" LEFT JOIN blog_article_to_tag ON blog_article.id = blog_article_to_tag.article_id"+
+			" LEFT JOIN blog_tag ON blog_article_to_tag.tag_id = blog_tag.id"+filter+
+			" ORDER BY blog_tag.name",
+		filterArgs...,
+	)
 	if err != nil {
 		return nil, err
 	}
@@ -304,17 +307,21 @@ func (db *Database) GetBlogArticle(showAll bool, id int64) (*Article, error) {
 }
 
 func (db *Database) GetBlogArticleFile(showAll bool, articleId int64, fileId int64) (ArticleFile, error) {
-	filter := "WHERE blog_file.article_id = ? AND blog_file.id = ?"
+	filter := " WHERE blog_file.article_id = ? AND blog_file.id = ?"
+	filterArgs := make([]interface{}, 0)
+	filterArgs = append(filterArgs, articleId)
+	filterArgs = append(filterArgs, fileId)
+
 	if !showAll {
-		filter = filter + " AND blog_article.status = " + strconv.Itoa(ArticleStatusPublished)
+		filter = filter + " AND blog_article.status = ?"
+		filterArgs = append(filterArgs, ArticleStatusPublished)
 	}
 
-	statement := "SELECT blog_file.data FROM blog_file" +
-		" INNER JOIN blog_article ON blog_article.id = blog_file.article_id" +
-		" " + filter
-
 	var data []byte
-	err := db.db.QueryRow(statement, articleId, fileId).Scan(&data)
+	err := db.db.QueryRow(
+		"SELECT blog_file.data FROM blog_file INNER JOIN blog_article ON blog_article.id = blog_file.article_id"+filter,
+		filterArgs...,
+	).Scan(&data)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return ArticleFile{}, ErrNotFound