From 99fbaab8168e20a40bd6a42204397ba8d2ae6085 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Mon, 8 Dec 2025 16:28:46 +0100
Subject: [PATCH] Enhance change_falukant_user_money: Implement fallback to
 literal SQL for update_money on failure of parameterized call, improving
 robustness and error handling.

---
 src/worker/base.rs | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/worker/base.rs b/src/worker/base.rs
index 12e83d3..fd622cf 100644
--- a/src/worker/base.rs
+++ b/src/worker/base.rs
@@ -173,9 +173,31 @@ impl BaseWorker {
             uid_i32, money_str, action
         );
 
-        let _ = conn.execute("update_money", &[p1, p2, p3])?;
+        // Try parameterized call first
+        match conn.execute("update_money", &[p1, p2, p3]) {
+            Ok(_) => return Ok(()),
+            Err(err) => {
+                eprintln!(
+                    "[BaseWorker] parameterized update_money failed: {err}, falling back to literal SQL",
+                    
+                );
+                // Fall back: build SQL with literals. Escape action safely (double single-quotes).
+                fn escape_sql_literal(s: &str) -> String {
+                    s.replace('\'', "''")
+                }
 
-        Ok(())
+                let escaped_action = escape_sql_literal(action);
+                // money_str is already a numeric literal string (e.g. "3726" or "1597.12")
+                let sql = format!(
+                    "SELECT falukant_data.update_money({}, {}::numeric, '{}');",
+                    uid_i32, money_str, escaped_action
+                );
+
+                // Use query without parameters
+                let _ = conn.query(&sql)?;
+                return Ok(());
+            }
+        }
     }
 }