cocoon-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From coli...@apache.org
Subject cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/flow/javascript ScriptableConnection.java
Date Mon, 17 Mar 2003 18:53:16 GMT
coliver     2003/03/17 10:53:16

  Modified:    src/java/org/apache/cocoon/components/flow/javascript
                        ScriptableConnection.java
  Log:
  avoid sql injection
  
  Revision  Changes    Path
  1.4       +40 -11    cocoon-2.1/src/java/org/apache/cocoon/components/flow/javascript/ScriptableConnection.java
  
  Index: ScriptableConnection.java
  ===================================================================
  RCS file: /home/cvs/cocoon-2.1/src/java/org/apache/cocoon/components/flow/javascript/ScriptableConnection.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- ScriptableConnection.java	16 Mar 2003 17:49:12 -0000	1.3
  +++ ScriptableConnection.java	17 Mar 2003 18:53:16 -0000	1.4
  @@ -52,8 +52,8 @@
    * A ScriptableConnection provides two methods:
    *
    * <UL>
  - * <LI>query([String] sql, [Number] startRow, [Number] maxRows)</LI>
  - * <LI>update([String] sql)</LI>
  + * <LI>query([String] stmt, [Array] parameters, [Number] startRow, [Number] maxRows)</LI>
  + * <LI>update([String] stmt, [Array] parameters)</LI>
    * </UL>
    * The object returned by <code>query</code> contains the following
    * properties:
  @@ -205,13 +205,27 @@
           this.wrapper = Context.toObject(connection, parent);
       }
   
  -    public Object jsFunction_query(String sql, 
  -                                   int startRow, 
  -                                   int maxRows) 
  +    public Object jsFunction_query(String sql, Object params,
  +                                   int startRow, int maxRows) 
           throws JavaScriptException {
           try {
  -            Statement stmt = connection.createStatement();
  -            ResultSet rs = stmt.executeQuery(sql);
  +            PreparedStatement stmt = connection.prepareStatement(sql);
  +	    Scriptable array = (Scriptable)params;
  +	    if (array != Undefined.instance) {
  +		int len = (int)
  +		    Context.toNumber(ScriptableObject.getProperty(array, "length"));
  +		for (int i = 0; i < len; i++) {
  +		    Object val = ScriptableObject.getProperty(array, i);
  +		    if (val instanceof Wrapper) {
  +			val = ((Wrapper)val).unwrap();
  +		    }
  +		    if (val == Scriptable.NOT_FOUND) {
  +			val = null;
  +		    }
  +		    stmt.setObject(i + 1, val);
  +		}
  +	    }
  +            ResultSet rs = stmt.executeQuery();
               if (maxRows == 0) {
                   maxRows = -1;
               }
  @@ -225,11 +239,26 @@
           }
       }
   
  -    public int jsFunction_update(String sql) 
  +    public int jsFunction_update(String sql, Object params) 
           throws JavaScriptException {
           try {
  -            Statement stmt = connection.createStatement();
  -            stmt.execute(sql);
  +            PreparedStatement stmt = connection.prepareStatement(sql);
  +	    Scriptable array = (Scriptable)params;
  +	    if (array != Undefined.instance) {
  +		int len = (int)
  +		    Context.toNumber(ScriptableObject.getProperty(array, "length"));
  +		for (int i = 0; i < len; i++) {
  +		    Object val = ScriptableObject.getProperty(array, i);
  +		    if (val instanceof Wrapper) {
  +			val = ((Wrapper)val).unwrap();
  +		    }
  +		    if (val == Scriptable.NOT_FOUND) {
  +			val = null;
  +		    }
  +		    stmt.setObject(i + 1, val);
  +		}
  +	    }
  +            stmt.execute();
               return stmt.getUpdateCount();
           } catch (Exception e) {
               throw new JavaScriptException(e);
  
  
  

Mime
View raw message