From 14bbfe6ffbf16b93985e2432a3a824887188c98a Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Tue, 9 Jun 2020 02:30:40 -0700
Subject: [PATCH] bulk_get_subscriber_user_ids: Use cursor.execute correctly.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 zerver/lib/actions.py | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/zerver/lib/actions.py b/zerver/lib/actions.py
index ab05ab8e4c..9fb9308231 100644
--- a/zerver/lib/actions.py
+++ b/zerver/lib/actions.py
@@ -2573,9 +2573,7 @@ def bulk_get_subscriber_user_ids(stream_dicts: Iterable[Mapping[str, Any]],
     to optimize.)
     '''
 
-    id_list = ', '.join(str(recipient_id) for recipient_id in recipient_ids)
-
-    query = '''
+    query = SQL('''
         SELECT
             zerver_subscription.recipient_id,
             zerver_subscription.user_profile_id
@@ -2584,16 +2582,16 @@ def bulk_get_subscriber_user_ids(stream_dicts: Iterable[Mapping[str, Any]],
         INNER JOIN zerver_userprofile ON
             zerver_userprofile.id = zerver_subscription.user_profile_id
         WHERE
-            zerver_subscription.recipient_id in (%s) AND
+            zerver_subscription.recipient_id in %(recipient_ids)s AND
             zerver_subscription.active AND
             zerver_userprofile.is_active
         ORDER BY
             zerver_subscription.recipient_id,
             zerver_subscription.user_profile_id
-        ''' % (id_list,)
+        ''')
 
     cursor = connection.cursor()
-    cursor.execute(query)
+    cursor.execute(query, {"recipient_ids": tuple(recipient_ids)})
     rows = cursor.fetchall()
     cursor.close()