From aa63e3f4ab413547aa71c7cc3171e80aeb7a7bff Mon Sep 17 00:00:00 2001 From: oof1lab Date: Mon, 6 Nov 2017 17:23:29 +0000 Subject: [PATCH] Fix: turn all select statements to prepared queries. --- lib/xapi.js | 18 ++++++++---------- lib/xsql.js | 31 ++++++++++++++++++++++++++----- 2 files changed, 34 insertions(+), 15 deletions(-) diff --git a/lib/xapi.js b/lib/xapi.js index a026267594..48993949fd 100644 --- a/lib/xapi.js +++ b/lib/xapi.js @@ -234,19 +234,18 @@ class Xapi { async list(req, res) { let queryParamsObj = {} - queryParamsObj.query = ''; + queryParamsObj.query = 'select '; queryParamsObj.params = []; - let cols = '' if (req.query._groupby) { - cols = this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName); + this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName, queryParamsObj); } else { - cols = this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query); + this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query, queryParamsObj); } /**************** tableName ****************/ - queryParamsObj.query = 'select ' + cols + ' from ?? '; + queryParamsObj.query += ' from ?? '; queryParamsObj.params.push(req.app.locals._tableName); /**************** where clause ****************/ @@ -274,18 +273,17 @@ class Xapi { async nestedList(req, res) { - let cols = '' let queryParamsObj = {} - queryParamsObj.query = ''; + queryParamsObj.query = 'select '; queryParamsObj.params = []; /**************** tableName ****************/ if (req.query._groupby) { - cols = this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName); + this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName, queryParamsObj); } else { - cols = this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query); + this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query, queryParamsObj); } - queryParamsObj.query = 'select ' + cols + ' from ?? where '; + queryParamsObj.query += ' from ?? where '; queryParamsObj.params.push(req.app.locals._childTable); /**************** where foreign key ****************/ diff --git a/lib/xsql.js b/lib/xsql.js index b366c89af4..5037747252 100644 --- a/lib/xsql.js +++ b/lib/xsql.js @@ -175,7 +175,7 @@ class Xsql { getGroupByClause(_groupby, tableName, queryParamsObj) { - if(_groupby){ + if (_groupby) { queryParamsObj.query += ' group by ' + _groupby + ' ' return _groupby } @@ -186,7 +186,7 @@ class Xsql { if (_having) { - let whereClauseObj = whereHelp.getConditionClause(_having,'having') + let whereClauseObj = whereHelp.getConditionClause(_having, 'having') if (whereClauseObj.err === 0) { queryParamsObj.query = queryParamsObj.query + ' having ' + whereClauseObj.query; @@ -244,11 +244,23 @@ class Xsql { return orderBy } - getColumnsForSelectStmtWithGrpBy(reqQueryParams, tableName) { - return reqQueryParams._groupby + ',count(1) as _count' + getColumnsForSelectStmtWithGrpBy(reqQueryParams, tableName, queryParamsObj) { + + let grpByCols = reqQueryParams._groupby.split(','); + + for (var i = 0; i < grpByCols.length; ++i) { + if (i) { + queryParamsObj.query += ',' + } + queryParamsObj.query += ' ??' + queryParamsObj.params.push(grpByCols[i]) + } + + queryParamsObj.query += ',count(1) as _count ' + } - getColumnsForSelectStmt(tableName, reqQueryParams) { + getColumnsForSelectStmt(tableName, reqQueryParams, queryParamsObj) { let table = this.metaDb.tables[tableName]; let cols = []; @@ -259,6 +271,7 @@ class Xsql { if ('_fields' in reqQueryParams) { _fieldsInQuery = reqQueryParams['_fields'].split(',') } else { + queryParamsObj.query += ' * ' return " * "; } @@ -285,6 +298,14 @@ class Xsql { } + for (var i = 0; i < cols.length; ++i) { + if (i) { + queryParamsObj.query += ',' + } + queryParamsObj.query += '??' + queryParamsObj.params.push(cols[i]) + } + return cols.join(',') }