From 530d81b5652b236b3d4b060680831e2f88c1eb03 Mon Sep 17 00:00:00 2001
From: Xiaolan Bot <xiaolan@local>
Date: Sun, 22 Feb 2026 01:33:02 +0800
Subject: [PATCH] refactor: harden field mapping and sqlite boolean toggles

---
 SubMind.py | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/SubMind.py b/SubMind.py
index 13584c9..a205e2d 100644
--- a/SubMind.py
+++ b/SubMind.py
@@ -242,7 +242,15 @@ def format_frequency(unit, value) -> str:
 
 
 CATEGORY_CB_PREFIX = "list_subs_in_category_id_"
-EDITABLE_SUB_FIELDS = {'name', 'cost', 'currency', 'category', 'next_due', 'renewal_type', 'notes'}
+EDITABLE_SUB_FIELDS = {
+    'name': 'name',
+    'cost': 'cost',
+    'currency': 'currency',
+    'category': 'category',
+    'next_due': 'next_due',
+    'renewal_type': 'renewal_type',
+    'notes': 'notes'
+}
 
 
 def _build_category_callback_data(category_id: int) -> str:
@@ -1050,7 +1058,8 @@ async def edit_new_value_received(update: Update, context: CallbackContext):
         if update.effective_message:
             await update.effective_message.reply_text("错误：未选择要编辑的字段。")
         return ConversationHandler.END
-    if field not in EDITABLE_SUB_FIELDS:
+    db_field = EDITABLE_SUB_FIELDS.get(field)
+    if not db_field:
         if update.effective_message:
             await update.effective_message.reply_text("错误：不允许编辑该字段。")
         logger.warning(f"Blocked unsafe field update attempt: {field}")
@@ -1111,7 +1120,7 @@ async def edit_new_value_received(update: Update, context: CallbackContext):
 
     with get_db_connection() as conn:
         cursor = conn.cursor()
-        cursor.execute(f"UPDATE subscriptions SET {field} = ? WHERE id = ? AND user_id = ?",
+        cursor.execute(f"UPDATE subscriptions SET {db_field} = ? WHERE id = ? AND user_id = ?",
                        (new_value, sub_id, user_id))
         conn.commit()
 
@@ -1195,12 +1204,14 @@ async def remind_action_handler(update: Update, context: CallbackContext):
         cursor = conn.cursor()
         if action == 'toggle_enabled':
             cursor.execute(
-                "UPDATE subscriptions SET reminders_enabled = NOT reminders_enabled WHERE id = ? AND user_id = ?",
+                "UPDATE subscriptions SET reminders_enabled = CASE WHEN reminders_enabled THEN 0 ELSE 1 END "
+                "WHERE id = ? AND user_id = ?",
                 (sub_id, user_id)
             )
         elif action == 'toggle_due_date':
             cursor.execute(
-                "UPDATE subscriptions SET reminder_on_due_date = NOT reminder_on_due_date WHERE id = ? AND user_id = ?",
+                "UPDATE subscriptions SET reminder_on_due_date = CASE WHEN reminder_on_due_date THEN 0 ELSE 1 END "
+                "WHERE id = ? AND user_id = ?",
                 (sub_id, user_id)
             )
         conn.commit()