From 77c4576b59bf6c680d7f57d42c5a4e84cfde6167 Mon Sep 17 00:00:00 2001
From: Winston Li <winston.li12@imperial.ac.uk>
Date: Mon, 23 Feb 2015 11:00:34 +0000
Subject: [PATCH] Fix SQL injection.

---
 .../sql/update/delete/DeleteFilesForProjectSQLUpdate.java  | 7 ++++---
 .../update/delete/DeleteFilesForProjectSQLUpdateTest.java  | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/services/git-bridge/src/main/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdate.java b/services/git-bridge/src/main/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdate.java
index 98f26fb88b..4fef0e1431 100644
--- a/services/git-bridge/src/main/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdate.java
+++ b/services/git-bridge/src/main/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdate.java
@@ -25,9 +25,7 @@ public class DeleteFilesForProjectSQLUpdate implements SQLUpdate {
     public String getSQL() {
         StringBuilder sb = new StringBuilder(DELETE_URL_INDEXES_FOR_PROJECT_NAME);
         for (int i = 0; i < paths.length; i++) {
-            sb.append('\'');
-            sb.append(paths[i]);
-            sb.append('\'');
+            sb.append("?");
             if (i < paths.length - 1) {
                 sb.append(", ");
             }
@@ -39,6 +37,9 @@ public class DeleteFilesForProjectSQLUpdate implements SQLUpdate {
     @Override
     public void addParametersToStatement(PreparedStatement statement) throws SQLException {
         statement.setString(1, projectName);
+        for (int i = 0; i < paths.length; i++) {
+            statement.setString(i + 2, paths[i]);
+        }
     }
 
 }
diff --git a/services/git-bridge/src/test/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdateTest.java b/services/git-bridge/src/test/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdateTest.java
index c9e1371147..aad9ab3642 100644
--- a/services/git-bridge/src/test/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdateTest.java
+++ b/services/git-bridge/src/test/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdateTest.java
@@ -8,7 +8,7 @@ public class DeleteFilesForProjectSQLUpdateTest {
     @Test
     public void testGetSQL() {
         DeleteFilesForProjectSQLUpdate update = new DeleteFilesForProjectSQLUpdate("projname", "path1", "path2");
-        assertEquals("DELETE FROM `url_index_store` WHERE `project_name` = ? AND path IN ('path1', 'path2');\n", update.getSQL());
+        assertEquals("DELETE FROM `url_index_store` WHERE `project_name` = ? AND path IN (?, ?);\n", update.getSQL());
     }
 
 }
\ No newline at end of file