From d39c0ea2f8c937c6075ae5c04b28ff1c27cb6f29 Mon Sep 17 00:00:00 2001
From: geoffrey45 <geoffreymungai45@gmail.com>
Date: Tue, 28 Feb 2023 10:30:00 +0300
Subject: [PATCH] rewrite sql statements to use parameter binding

---
 app/db/sqlite/playlists.py | 25 ++++++++++++-------------
 app/db/sqlite/tracks.py    | 27 ++++-----------------------
 2 files changed, 16 insertions(+), 36 deletions(-)

diff --git a/app/db/sqlite/playlists.py b/app/db/sqlite/playlists.py
index 0e38ad26..dc55bb9c 100644
--- a/app/db/sqlite/playlists.py
+++ b/app/db/sqlite/playlists.py
@@ -15,25 +15,24 @@ class SQLitePlaylistMethods:
     @staticmethod
     def insert_one_playlist(playlist: dict):
         sql = """INSERT INTO playlists(
-            artisthashes,
-            banner_pos,
-            has_gif,
-            image,
-            last_updated,
-            name,
-            trackhashes
-            ) VALUES(?,?,?,?,?,?,?)
-            """
+        artisthashes,
+        banner_pos,
+        has_gif,
+        image,
+        last_updated,
+        name,
+        trackhashes
+        ) VALUES(:artisthashes, :banner_pos, :has_gif, :image, :last_updated, :name, :trackhashes)
+        """
 
         playlist = OrderedDict(sorted(playlist.items()))
-        params = (*playlist.values(),)
 
         with SQLiteManager(userdata_db=True) as cur:
-            cur.execute(sql, params)
+            cur.execute(sql, playlist)
             pid = cur.lastrowid
-            params = (pid, *params)
 
-            return tuple_to_playlist(params)
+            p_tuple = (pid, *playlist.values())
+            return tuple_to_playlist(p_tuple)
 
     @staticmethod
     def get_playlist_by_name(name: str):
diff --git a/app/db/sqlite/tracks.py b/app/db/sqlite/tracks.py
index 8ec8a00f..f7dbbc9a 100644
--- a/app/db/sqlite/tracks.py
+++ b/app/db/sqlite/tracks.py
@@ -4,6 +4,7 @@ interacting with the tracks table.
 """
 
 
+from collections import OrderedDict
 from sqlite3 import Cursor
 
 from app.db.sqlite.utils import tuple_to_track, tuples_to_tracks
@@ -37,31 +38,11 @@ class SQLiteTrackMethods:
             title,
             track,
             trackhash
-            ) VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)
+            ) VALUES(:album, :albumartist, :albumhash, :artist, :bitrate, :copyright, :date, :disc, :duration, :filepath, :folder, :genre, :title, :track, :trackhash)
             """
 
-        cur.execute(
-            sql,
-            (
-                track["album"],
-                track["albumartist"],
-                track["albumhash"],
-                track["artist"],
-                track["bitrate"],
-                track["copyright"],
-                track["date"],
-                track["disc"],
-                track["duration"],
-                track["filepath"],
-                track["folder"],
-                track["genre"],
-                track["title"],
-                track["track"],
-                track["trackhash"],
-            ),
-        )
-
-        # TODO: rewrite the above code using an ordered dict and destructuring
+        track = OrderedDict(sorted(track.items()))
+        cur.execute(sql, track)
 
     @classmethod
     def insert_many_tracks(cls, tracks: list[dict]):