Injection escaping may not work for CREATE SEQUENCE after all

2025-12-28 01:03:10 -06:00 · 2021-04-21 10:29:11 +01:00 · 2021-04-21 10:29:11 +01:00 · 42b3dc5abe
parent e1902ae697
commit 42b3dc5abe
1 changed files with 3 additions and 2 deletions
--- a/roomserver/storage/postgres/deltas/2021041615092700_state_blocks_refactor.go
+++ b/roomserver/storage/postgres/deltas/2021041615092700_state_blocks_refactor.go
@ -40,6 +40,7 @@ func LoadStateBlocksRefactor(m *sqlutil.Migrations) {
 	m.AddMigration(UpStateBlocksRefactor, DownStateBlocksRefactor)
 }
 // nolint:gocyclo
 func UpStateBlocksRefactor(tx *sql.Tx) error {
 	logrus.Warn("Performing state storage upgrade. Please wait, this may take some time!")
 	defer logrus.Warn("State storage upgrade complete")
@ -65,10 +66,10 @@ func UpStateBlocksRefactor(tx *sql.Tx) error {
 	if _, err := tx.Exec(`ALTER TABLE roomserver_state_snapshots RENAME TO _roomserver_state_snapshots;`); err != nil {
 		return fmt.Errorf("tx.Exec: %w", err)
 	}
-	if _, err := tx.Exec(`CREATE SEQUENCE roomserver_state_block_nid_sequence START WITH $1;`, maxblockid); err != nil {
+	if _, err := tx.Exec(fmt.Sprintf(`CREATE SEQUENCE roomserver_state_block_nid_sequence START WITH %d;`, maxblockid)); err != nil {
 		return fmt.Errorf("tx.Exec: %w", err)
 	}
-	if _, err := tx.Exec(`CREATE SEQUENCE roomserver_state_snapshot_nid_sequence START WITH $1;`, maxsnapshotid); err != nil {
+	if _, err := tx.Exec(fmt.Sprintf(`CREATE SEQUENCE roomserver_state_snapshot_nid_sequence START WITH %d;`, maxsnapshotid)); err != nil {
 		return fmt.Errorf("tx.Exec: %w", err)
 	}
 	_, err := tx.Exec(`