From e9f43c01696fe3ccb790afaa5dc4ffff2835d12c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Phillip=20K=C3=BChne?= <phillipkhne@gmail.com>
Date: Tue, 10 Mar 2020 20:08:31 +0100
Subject: [PATCH] Properly pass user input to SQLite and fix searches with
 umlauts. Resolves #3.

---
 backend/app/database.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/backend/app/database.py b/backend/app/database.py
index 8657003..96b1c9a 100644
--- a/backend/app/database.py
+++ b/backend/app/database.py
@@ -89,15 +89,17 @@ def get_played_list():
 def get_song_list():
     conn =open_db()
     cur = conn.cursor()
-    cur.execute("SELECT Artist || \" - \" || Title AS Song, Id FROM songs")
+    cur.execute("SELECT Artist || \" - \" || Title AS Song, Id FROM songs;")
     return cur.fetchall()
 
 def get_song_completions(input_string):
     conn = open_db()
     cur = conn.cursor()
     # Don't look, it burns...
+    prepared_string = "%{0}%".format(input_string).upper()  # "Test" -> "%TEST%"
+    print(prepared_string)
     cur.execute(
-        "SELECT Title || \" - \" || Artist AS Song, Id FROM songs WHERE Song LIKE REPLACE(REPLACE(REPLACE(REPLACE(UPPER('%"+input_string+"%'),'ö','Ö'),'ü','Ü'),'ä','Ä'),'ß','ẞ') LIMIT 20")
+        "SELECT Title || \" - \" || Artist AS Song, Id FROM songs WHERE REPLACE(REPLACE(REPLACE(REPLACE(UPPER( SONG ),'ö','Ö'),'ü','Ü'),'ä','Ä'),'ß','ẞ') LIKE (?) LIMIT 20;", (prepared_string,))
     return cur.fetchall()
 
 def add_entry(name,song_id):