From cbdef5fa43286858d3cf3d55a18719cc81c962dc Mon Sep 17 00:00:00 2001
From: Eugene Burmakin <iamfrey@gmail.com>
Date: Tue, 22 Jul 2025 19:56:12 +0200
Subject: [PATCH] Parameterize stats query

---
 app/queries/stats_query.rb | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/app/queries/stats_query.rb b/app/queries/stats_query.rb
index ad7ef90d..0192a8c8 100644
--- a/app/queries/stats_query.rb
+++ b/app/queries/stats_query.rb
@@ -6,21 +6,24 @@ class StatsQuery
   end
 
   def points_stats
-    result = Point.connection.execute(<<~SQL.squish)
-      SELECT
-        COUNT(id) as total,
-        COUNT(reverse_geocoded_at) as geocoded,
-        COUNT(CASE WHEN geodata = '{}'::jsonb THEN 1 END) as without_data
-      FROM points
-      WHERE user_id = #{user.id}
-    SQL
+    sql = ActiveRecord::Base.sanitize_sql_array([
+      <<~SQL.squish,
+        SELECT
+          COUNT(id) as total,
+          COUNT(reverse_geocoded_at) as geocoded,
+          COUNT(CASE WHEN geodata = '{}'::jsonb THEN 1 END) as without_data
+        FROM points
+        WHERE user_id = ?
+      SQL
+      user.id
+    ])
 
-    row = result.first
+    result = Point.connection.select_one(sql)
 
     {
-      total: row['total'].to_i,
-      geocoded: row['geocoded'].to_i,
-      without_data: row['without_data'].to_i
+      total: result['total'].to_i,
+      geocoded: result['geocoded'].to_i,
+      without_data: result['without_data'].to_i
     }
   end