Avoid SQL injection

src/main.rs

@@ -179,7 +179,7 @@ async fn handle_http_info(mut stream: TcpStream) -> Result<(), anyhow::Error> {
             max_event_time_newer_than_now: 900,
             max_event_time_older_than_now: 315576000,
             max_filters: 100,
-            max_limit: 100,
+            max_limit: 500,
             max_message_length: 524288,
             max_subid_length: 100,
             max_subscriptions: 20,
@@ -188,7 +188,7 @@ async fn handle_http_info(mut stream: TcpStream) -> Result<(), anyhow::Error> {
         name: "A rust nostr relay by laoXong",
         pubkey: "63abd4f817e39cca4e6abb6e6cf3e133bb718cf8ec28b38c1645e84d7a6190c6",
         software: "https://git.moe.gift/laoxong/nostr-relay",
-        supported_nips: vec![1, 2, 5],
+        supported_nips: vec![1, 2, 5, 65],
         version: env!("CARGO_PKG_VERSION"),
     };
     
@@ -415,6 +415,14 @@ impl NostrEvent {
                     }
                 }
             }
+            10002 => {
+                if !self.tags.is_empty() {
+                    sqlx::query("DELETE FROM events WHERE id = ? AND kind = 10002")
+                    .bind(&self.id)
+                    .execute(pool)
+                    .await?;
+                }
+            }
             _ => {}
         }
         let sql = "INSERT INTO events (id, pubkey, created_at, kind, tags, content, sig) VALUES (?, ?, ?, ?, ?, ?, ?)";
@@ -448,7 +456,7 @@ impl Filter {
                 sql.push(" AND id in (");
                 let mut separated = sql.separated(",");
                 for id in ids {
-                    separated.push(&format!("'{}'", id));
+                    separated.push_bind(id);
                 }
                 separated.push_unseparated(")");
             }
@@ -459,7 +467,7 @@ impl Filter {
                 sql.push(" AND pubkey in (");
                 let mut separated = sql.separated(",");
                 for pubkey in pubkeys {
-                    separated.push(&format!("'{}'", pubkey));
+                    separated.push_bind(pubkey);
                 }
                 separated.push_unseparated(")");
             }
@@ -470,18 +478,15 @@ impl Filter {
                 sql.push(" AND kind in (");
                 let mut separated = sql.separated(",");
                 for kind in kinds {
-                    separated.push(&format!("{}", kind));
+                    separated.push_bind(kind);
                 }
                 separated.push_unseparated(")");
             }
         }
 
         sql.push(" ORDER BY created_at DESC");
-        if let Some(limit) = &self.limit {
-            sql.push(" LIMIT ").push_bind(*limit as i64);        
-        } else {
-            sql.push(" LIMIT 10");
-        }
+        let max_limit = self.limit.unwrap_or(10).min(500);
+        sql.push(" LIMIT ").push_bind(max_limit as i64);
         let query = sql.build();
         debug!("SQL: {}", query.sql());
         let result = query.fetch_all(pool).await?;