From 3a7acd6f76fe72867cb4a98104c0097c25b646ef Mon Sep 17 00:00:00 2001
From: Alex Tonkonozhenko <tonkonozhenko@gmail.com>
Date: Wed, 6 Nov 2024 02:59:29 +0100
Subject: [PATCH] Fix sql string escaping (#8163)

---
 .../dora/tasks/incident_from_issue_generator.go      | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/backend/plugins/dora/tasks/incident_from_issue_generator.go b/backend/plugins/dora/tasks/incident_from_issue_generator.go
index bb361089829..d70cd2ce527 100644
--- a/backend/plugins/dora/tasks/incident_from_issue_generator.go
+++ b/backend/plugins/dora/tasks/incident_from_issue_generator.go
@@ -57,11 +57,11 @@ func ConvertIssuesToIncidents(taskCtx plugin.SubTaskContext) errors.Error {
 			 FROM issues i
 			 LEFT JOIN board_issues bi ON bi.issue_id = i.id
 			 LEFT JOIN project_mapping pm ON pm.row_id = bi.board_id
-			 WHERE i.type = "INCIDENT"
+			 WHERE i.type = ?
 			   AND pm.project_name = ?
-		       AND pm.table = "boards")
+		       AND pm.table = ?)
 	`
-	if err := db.Exec(deleteIncidentsSql, data.Options.ProjectName); err != nil {
+	if err := db.Exec(deleteIncidentsSql, "INCIDENT", data.Options.ProjectName, "boards"); err != nil {
 		return errors.Default.Wrap(err, "error deleting previous incidents")
 
 	}
@@ -73,11 +73,11 @@ func ConvertIssuesToIncidents(taskCtx plugin.SubTaskContext) errors.Error {
 			 FROM issues i
 			 LEFT JOIN board_issues bi ON bi.issue_id = i.id
 			 LEFT JOIN project_mapping pm ON pm.row_id = bi.board_id
-			 WHERE i.type = "INCIDENT"
+			 WHERE i.type = ?
 			   AND pm.project_name = ?
-		       AND pm.table = "boards")
+		       AND pm.table = ?)
 	`
-	if err := db.Exec(deleteIncidentAssigneesSql, data.Options.ProjectName); err != nil {
+	if err := db.Exec(deleteIncidentAssigneesSql, "INCIDENT", data.Options.ProjectName, "boards"); err != nil {
 		return errors.Default.Wrap(err, "error deleting previous incident_assignees")
 	}