converted most dynamic SQL queries into prepared statement to avoid excessive statement caching

src/routes/api/autocomplete.js

@@ -33,10 +33,12 @@ function getAutocomplete(req) {
 
 function getRecentNotes(activeNoteId) {
     let extraCondition = '';
+    const params = [activeNoteId];
 
     const hoistedNoteId = optionService.getOption('hoistedNoteId');
     if (hoistedNoteId !== 'root') {
-        extraCondition = `AND recent_notes.notePath LIKE '%${utils.sanitizeSql(hoistedNoteId)}%'`;
+        extraCondition = `AND recent_notes.notePath LIKE ?`;
+        params.push(hoistedNoteId + '%');
     }
 
     const recentNotes = repository.getEntities(`
@@ -52,7 +54,7 @@ function getRecentNotes(activeNoteId) {
         ${extraCondition}
       ORDER BY 
         utcDateCreated DESC
-      LIMIT 200`, [activeNoteId]);
+      LIMIT 200`, params);
 
     return recentNotes.map(rn => {
         const title = noteCacheService.getNoteTitleForPath(rn.notePath.split('/'));

src/routes/api/note_revisions.js

@@ -119,21 +119,19 @@ function restoreNoteRevision(req) {
 }
 
 function getEditedNotesOnDate(req) {
-    const date = utils.sanitizeSql(req.params.date);
-
     const notes = repository.getEntities(`
         SELECT notes.*
         FROM notes
         WHERE noteId IN (
                 SELECT noteId FROM notes 
-                WHERE notes.dateCreated LIKE '${date}%' 
-                   OR notes.dateModified LIKE '${date}%'
+                WHERE notes.dateCreated LIKE :date
+                   OR notes.dateModified LIKE :date
             UNION ALL
                 SELECT noteId FROM note_revisions
-                WHERE note_revisions.dateLastEdited LIKE '${date}%'
+                WHERE note_revisions.dateLastEdited LIKE :date
         )
         ORDER BY isDeleted
-        LIMIT 50`);
+        LIMIT 50`, {date: req.params.date + '%'});
 
     for (const note of notes) {
         const notePath = noteCacheService.getNotePath(note.noteId);