Prepared statements everywhere

c-busqueda/handler.cr

@@ -88,57 +88,52 @@ class Handler
 
     year = year.to_i?
 
-    if prefijo.nil? && year.nil?
-      # Global totals
-      sql = %(
-      SELECT total::integer, nombre
-      FROM totales
-      ORDER BY total DESC
-      LIMIT 50
-      )
-    elsif prefijo.nil? && !year.nil?
-      # Per-year totals
-      sql = %(
-        SELECT contador::integer, nombre
-        FROM nombres
-        WHERE
-            anio = '#{year}'
-        ORDER BY contador DESC
-        LIMIT 50
-      )
-    elsif !prefijo.nil? && year.nil?
-      # Filter only by prefix
-      sql = %(
-        SELECT total, nombre
-        FROM totales
-        WHERE
-            nombre LIKE '#{prefijo}%'
-        ORDER BY total DESC
-        LIMIT 50
-      )
-    else
-      # We have both
-      sql = %(
-        SELECT contador, nombre
-        FROM nombres
-        WHERE
-            anio = '#{year}' AND
-            nombre LIKE '#{prefijo}%'
-        ORDER BY contador DESC
-        LIMIT 50
-      )
-    end
-
-    puts "QUERY: #{sql}"
-
     datos = [] of Tuple(Int32, String)
     DB.open(DB_URL) do |cursor|
-      cursor.query sql do |result_set|
+      if prefijo.nil? && year.nil?
+        # Global totals
+        result_set = cursor.query("
+          SELECT total::integer, nombre
+          FROM totales
+          ORDER BY total DESC
+          LIMIT 50")
+      elsif prefijo.nil? && !year.nil?
+        # Per-year totals
+        result_set = cursor.query("
+          SELECT contador::integer, nombre
+          FROM nombres
+          WHERE
+            anio = $1
+          ORDER BY contador DESC
+          LIMIT 50", year)
+      elsif !prefijo.nil? && year.nil?
+        # Filter only by prefix
+        result_set = cursor.query("
+          SELECT total::integer, nombre
+          FROM totales
+          WHERE
+              nombre LIKE $1
+          ORDER BY total DESC
+          LIMIT 50", prefijo + "%")
+      elsif !prefijo.nil? && !year.nil?
+        # We have both
+        result_set = cursor.query("
+          SELECT contador::integer, nombre
+          FROM nombres
+          WHERE
+              anio = $1 AND
+              nombre LIKE $2
+          ORDER BY contador DESC
+          LIMIT 50", year, prefijo + "%")
+      end
+
+      if !result_set.nil?
         result_set.each do
           valor = result_set.read(Int32)
           nombre = result_set.read(String)
           datos.push({valor, nombre})
         end
+        result_set.close
       end
     end