Fix: turn all select statements to prepared queries.

7 years ago · aa63e3f4ab
2 changed files with 34 additions and 15 deletions
--- a/lib/xapi.js
+++ b/lib/xapi.js
@ -234,19 +234,18 @@ class Xapi {
  async list(req, res) {

    let queryParamsObj = {}
-    queryParamsObj.query = '';
+    queryParamsObj.query = 'select ';
    queryParamsObj.params = [];
-    let cols = ''

    if (req.query._groupby) {
-      cols = this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName);
+      this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName, queryParamsObj);
    } else {
-      cols = this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query);
+      this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query, queryParamsObj);
    }


    /**************** tableName ****************/
-    queryParamsObj.query = 'select ' + cols + ' from ?? ';
+    queryParamsObj.query += ' from ?? ';
    queryParamsObj.params.push(req.app.locals._tableName);

    /**************** where clause ****************/
@ -274,18 +273,17 @@ class Xapi {

  async nestedList(req, res) {

-    let cols = ''
    let queryParamsObj = {}
-    queryParamsObj.query = '';
+    queryParamsObj.query = 'select ';
    queryParamsObj.params = [];

    /**************** tableName ****************/
    if (req.query._groupby) {
-      cols = this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName);
+      this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName, queryParamsObj);
    } else {
-      cols = this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query);
+      this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query, queryParamsObj);
    }
-    queryParamsObj.query = 'select ' + cols + ' from ?? where ';
+    queryParamsObj.query += ' from ?? where ';
    queryParamsObj.params.push(req.app.locals._childTable);

    /**************** where foreign key ****************/
--- a/lib/xsql.js
+++ b/lib/xsql.js
@ -175,7 +175,7 @@ class Xsql {

  getGroupByClause(_groupby, tableName, queryParamsObj) {

-    if(_groupby){
+    if (_groupby) {
      queryParamsObj.query += ' group by ' + _groupby + ' '
      return _groupby
    }
@ -186,7 +186,7 @@ class Xsql {

    if (_having) {

-      let whereClauseObj = whereHelp.getConditionClause(_having,'having')
+      let whereClauseObj = whereHelp.getConditionClause(_having, 'having')

      if (whereClauseObj.err === 0) {
        queryParamsObj.query = queryParamsObj.query + ' having ' + whereClauseObj.query;
@ -244,11 +244,23 @@ class Xsql {
    return orderBy
  }

-  getColumnsForSelectStmtWithGrpBy(reqQueryParams, tableName) {
-    return reqQueryParams._groupby + ',count(1) as _count'
+  getColumnsForSelectStmtWithGrpBy(reqQueryParams, tableName, queryParamsObj) {
+
+    let grpByCols = reqQueryParams._groupby.split(',');
+
+    for (var i = 0; i < grpByCols.length; ++i) {
+      if (i) {
+        queryParamsObj.query += ','
+      }
+      queryParamsObj.query += ' ??'
+      queryParamsObj.params.push(grpByCols[i])
+    }
+
+    queryParamsObj.query += ',count(1) as _count '
+
  }

-  getColumnsForSelectStmt(tableName, reqQueryParams) {
+  getColumnsForSelectStmt(tableName, reqQueryParams, queryParamsObj) {

    let table = this.metaDb.tables[tableName];
    let cols = [];
@ -259,6 +271,7 @@ class Xsql {
    if ('_fields' in reqQueryParams) {
      _fieldsInQuery = reqQueryParams['_fields'].split(',')
    } else {
+      queryParamsObj.query += ' * '
      return " * ";
    }

@ -285,6 +298,14 @@ class Xsql {

    }

+    for (var i = 0; i < cols.length; ++i) {
+      if (i) {
+        queryParamsObj.query += ','
+      }
+      queryParamsObj.query += '??'
+      queryParamsObj.params.push(cols[i])
+    }
+
    return cols.join(',')

  }