[grilo-plugins] metadata-store: Fix GET SQL injection

[Juan A. Suarez Romero <jasuarez src gnome org>]

commit 2414933730ca17ffe08be68a5faec8ccec9b4630
Author: Bastien Nocera <hadess hadess net>
Date:   Thu Apr 12 15:58:19 2012 +0100

    metadata-store: Fix GET SQL injection
    
    https://bugzilla.gnome.org/show_bug.cgi?id=673912

 src/metadata/metadata-store/grl-metadata-store.c |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)
---
diff --git a/src/metadata/metadata-store/grl-metadata-store.c b/src/metadata/metadata-store/grl-metadata-store.c
index 2b6b3bf..5a67aae 100644
--- a/src/metadata/metadata-store/grl-metadata-store.c
+++ b/src/metadata/metadata-store/grl-metadata-store.c
@@ -59,7 +59,7 @@ GRL_LOG_DOMAIN_STATIC(metadata_store_log_domain);
 
 #define GRL_SQL_GET_METADATA				\
   "SELECT * FROM store "				\
-  "WHERE source_id='%s' AND media_id='%s' "		\
+  "WHERE source_id=? AND media_id=? "			\
   "LIMIT 1"
 
 #define GRL_SQL_UPDATE_METADATA			\
@@ -215,22 +215,22 @@ query_metadata_store (sqlite3 *db,
 		      const gchar *source_id,
 		      const gchar *media_id)
 {
-  gint r;
+  gint r, idx;
   sqlite3_stmt *sql_stmt = NULL;
-  gchar *sql;
 
   GRL_DEBUG ("get_metadata");
 
-  sql = g_strdup_printf (GRL_SQL_GET_METADATA, source_id, media_id);
-  GRL_DEBUG ("%s", sql);
-  r = sqlite3_prepare_v2 (db, sql, strlen (sql), &sql_stmt, NULL);
-  g_free (sql);
+  r = sqlite3_prepare_v2 (db, GRL_SQL_GET_METADATA, -1, &sql_stmt, NULL);
 
   if (r != SQLITE_OK) {
     GRL_WARNING ("Failed to get metadata: %s", sqlite3_errmsg (db));
     return NULL;
   }
 
+  idx = 0;
+  sqlite3_bind_text(sql_stmt, ++idx, source_id, -1, SQLITE_STATIC);
+  sqlite3_bind_text(sql_stmt, ++idx, media_id, -1, SQLITE_STATIC);
+
   return sql_stmt;
 }