cocoon-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From coli...@apache.org
Subject cvs commit: cocoon-2.1/src/scratchpad/webapp/samples/petstore/flow PetStoreImpl.js
Date Mon, 17 Mar 2003 18:54:04 GMT
coliver     2003/03/17 10:54:04

  Modified:    src/scratchpad/webapp/samples/petstore/flow PetStoreImpl.js
  Log:
  avoid sql injection
  
  Revision  Changes    Path
  1.5       +11 -8     cocoon-2.1/src/scratchpad/webapp/samples/petstore/flow/PetStoreImpl.js
  
  Index: PetStoreImpl.js
  ===================================================================
  RCS file: /home/cvs/cocoon-2.1/src/scratchpad/webapp/samples/petstore/flow/PetStoreImpl.js,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- PetStoreImpl.js	17 Mar 2003 04:51:52 -0000	1.4
  +++ PetStoreImpl.js	17 Mar 2003 18:54:04 -0000	1.5
  @@ -503,7 +503,7 @@
   
   PetStore.prototype.getItemListByProduct = function(prodId) {
       var conn = this.getConnection(this.poolId);
  -    var result = conn.query("select * from ITEM where PRODUCTID = '"+prodId + "'");
  +    var result = conn.query("select * from ITEM where PRODUCTID = ?", [prodId]);
       
       conn.close();
       return result;
  @@ -512,7 +512,7 @@
   PetStore.prototype.getItem = function(itemId) {
       print("getItem: " + itemId);
       var conn = this.getConnection(this.poolId);
  -    var result = conn.query("select * from ITEM item, INVENTORY inv where item.ITEMID =
inv.ITEMID and item.ITEMID = '" + itemId + "'");
  +    var result = conn.query("select * from ITEM item, INVENTORY inv where item.ITEMID =
inv.ITEMID and item.ITEMID = ?", [itemId]);
       conn.close();
       result.rows[0].product = this.getProduct(result.rows[0].productId);
       return result.rows[0];
  @@ -520,7 +520,7 @@
   
   PetStore.prototype.getAccount = function(username, password) {
       var conn = this.getConnection(this.poolId);
  -    var result = conn.query("select * from ACCOUNT, PROFILE, SIGNON, BANNERDATA where ACCOUNT.USERID
= '"+username+"' and SIGNON.USERNAME = ACCOUNT.USERID and PROFILE.USERID = ACCOUNT.USERID
and PROFILE.FAVCATEGORY = BANNERDATA.FAVCATEGORY");
  +    var result = conn.query("select * from ACCOUNT, PROFILE, SIGNON, BANNERDATA where ACCOUNT.USERID
= ? and SIGNON.USERNAME = ACCOUNT.USERID and PROFILE.USERID = ACCOUNT.USERID and PROFILE.FAVCATEGORY
= BANNERDATA.FAVCATEGORY", [username]);
       
       var record = result.rows[0];
       conn.close();
  @@ -529,7 +529,7 @@
   
   PetStore.prototype.getProduct = function(key, skipResults, maxResults) {
       var conn = this.getConnection(this.poolId);
  -    var result = conn.query("select * from PRODUCT where PRODUCTID = '" + key + "'", 
  +    var result = conn.query("select * from PRODUCT where PRODUCTID = ?", [key],
                               skipResults, maxResults);
       
       conn.close();
  @@ -538,7 +538,7 @@
   
   PetStore.prototype.getProductListByCategory = function(key, skipResults, maxResults) {
       var conn = this.getConnection(this.poolId);
  -    var result = conn.query("select * from PRODUCT where CATEGORY = '" + key + "'", 
  +    var result = conn.query("select * from PRODUCT where CATEGORY = ?", [key], 
                               skipResults, maxResults);
       conn.close();
       return result;
  @@ -546,7 +546,8 @@
   
   PetStore.prototype.getProductRowCountByCategory = function(key) {
       var conn = this.getConnection(this.poolId);
  -    var rs = conn.query("select count(*) as ROWCOUNT from PRODUCT where CATEGORY = '" +
key + "'");
  +    var rs = conn.query("select count(*) as ROWCOUNT from PRODUCT where CATEGORY = ?",
  +			[key]);
       var result = rs.rows[0].ROWCOUNT;
       conn.close();
       return Number(result);
  @@ -554,7 +555,8 @@
   
   PetStore.prototype.getItemRowCountByProduct = function(key) {
       var conn = this.getConnection(this.poolId);
  -    var rs = conn.query("select count(*) as ROWCOUNT from ITEM where PRODUCTID = '" + key
+ "'");
  +    var rs = conn.query("select count(*) as ROWCOUNT from ITEM where PRODUCTID = ?",
  +			[key]);
       var result = rs.rows[0].ROWCOUNT;
       conn.close();
       return Number(result);
  @@ -562,7 +564,8 @@
   
   PetStore.prototype.searchProductList = function(key, skipResults, maxResults) {
       var conn = this.getConnection(this.poolId);
  -    var result = conn.query("select * from PRODUCT where lower(name) like '%" + key + "%'
or lower(category) like '%" + key + "%' or lower(descn) like '%" + key + "%'", skipResults,
maxResults);
  +    key = "%" + key + "%";
  +    var result = conn.query("select * from PRODUCT where lower(name) like ? or lower(category)
like ? or lower(descn) like ?", [key, key, key], skipResults, maxResults);
       conn.close();
       return result;
   }
  
  
  

Mime
View raw message