theory at bricolage
Mar 6, 2009, 5:22 PM
Post #1 of 1
(404 views)
Permalink
|
|
[8464] Be smarter (and less vulnerable to SQL injection attacks) with
|
|
Revision: 8464
Author: theory
Date: 2009-03-06 17:22:30 -0800 (Fri, 06 Mar 2009)
ViewCVS: http://viewsvn.bricolage.cc/?rev=8464&view=rev
Log Message:
-----------
Be smarter (and less vulnerable to SQL injection attacks) with offsets and limits.
Modified Paths:
--------------
bricolage/trunk/lib/Bric/Util/Event.pm
Modified: bricolage/trunk/lib/Bric/Util/Event.pm
===================================================================
--- bricolage/trunk/lib/Bric/Util/Event.pm 2009-03-07 01:07:36 UTC (rev 8463)
+++ bricolage/trunk/lib/Bric/Util/Event.pm 2009-03-07 01:22:30 UTC (rev 8464)
@@ -1395,7 +1395,7 @@
# ', member m, event_member em';
my $wheres = 'e.event_type__id = t.id AND t.class__id = c.id'; # .
# ' AND e.id = em.object_id AND m.id = em.member__id';
- my @params;
+ my (@params, @limits);
# Handle query metadata.
my $order_by = 'e.timestamp DESC, e.id DESC';
@@ -1407,14 +1407,17 @@
if $params->{OrderDirection};
}
- my $limit = exists $params->{Limit}
- ? 'LIMIT ' . delete $params->{Limit}
- : '';
+ my $limit = '';
+ if ($params->{Limit}) {
+ push @limits, delete $params->{Limit};
+ $limit = ' LIMIT ?';
+ }
+ my $offset = '';
+ if ($params->{Offset}) {
+ push @limits, delete $params->{Offset};
+ $offset = ' OFFSET ?';
+ }
- my $offset = exists $params->{Offset}
- ? 'OFFSET ' . delete $params->{Offset}
- : '';
-
while (my ($k, $v) = each %$params) {
if ($k eq 'timestamp') {
# It's a date column.
@@ -1473,7 +1476,7 @@
# Just return the IDs, if they're what's wanted.
return col_aref($sel, @params) if $ids;
- execute($sel, @params);
+ execute($sel, @params, @limits);
my (@d, @events, $attrs, $key, $val); # , $grp_ids, %seen
$pkg = ref $pkg || $pkg;
bind_columns($sel, \@d[0..$#SEL_PROPS], \$key, \$val);
|
