Browse Source

Fix: turn all select statements to prepared queries.

pull/13/head
oof1lab 7 years ago
parent
commit
aa63e3f4ab
  1. 18
      lib/xapi.js
  2. 31
      lib/xsql.js

18
lib/xapi.js

@ -234,19 +234,18 @@ class Xapi {
async list(req, res) { async list(req, res) {
let queryParamsObj = {} let queryParamsObj = {}
queryParamsObj.query = ''; queryParamsObj.query = 'select ';
queryParamsObj.params = []; queryParamsObj.params = [];
let cols = ''
if (req.query._groupby) { if (req.query._groupby) {
cols = this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName); this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName, queryParamsObj);
} else { } else {
cols = this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query); this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query, queryParamsObj);
} }
/**************** tableName ****************/ /**************** tableName ****************/
queryParamsObj.query = 'select ' + cols + ' from ?? '; queryParamsObj.query += ' from ?? ';
queryParamsObj.params.push(req.app.locals._tableName); queryParamsObj.params.push(req.app.locals._tableName);
/**************** where clause ****************/ /**************** where clause ****************/
@ -274,18 +273,17 @@ class Xapi {
async nestedList(req, res) { async nestedList(req, res) {
let cols = ''
let queryParamsObj = {} let queryParamsObj = {}
queryParamsObj.query = ''; queryParamsObj.query = 'select ';
queryParamsObj.params = []; queryParamsObj.params = [];
/**************** tableName ****************/ /**************** tableName ****************/
if (req.query._groupby) { if (req.query._groupby) {
cols = this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName); this.mysql.getColumnsForSelectStmtWithGrpBy(req.query, req.app.locals._tableName, queryParamsObj);
} else { } else {
cols = this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query); this.mysql.getColumnsForSelectStmt(req.app.locals._tableName, req.query, queryParamsObj);
} }
queryParamsObj.query = 'select ' + cols + ' from ?? where '; queryParamsObj.query += ' from ?? where ';
queryParamsObj.params.push(req.app.locals._childTable); queryParamsObj.params.push(req.app.locals._childTable);
/**************** where foreign key ****************/ /**************** where foreign key ****************/

31
lib/xsql.js

@ -175,7 +175,7 @@ class Xsql {
getGroupByClause(_groupby, tableName, queryParamsObj) { getGroupByClause(_groupby, tableName, queryParamsObj) {
if(_groupby){ if (_groupby) {
queryParamsObj.query += ' group by ' + _groupby + ' ' queryParamsObj.query += ' group by ' + _groupby + ' '
return _groupby return _groupby
} }
@ -186,7 +186,7 @@ class Xsql {
if (_having) { if (_having) {
let whereClauseObj = whereHelp.getConditionClause(_having,'having') let whereClauseObj = whereHelp.getConditionClause(_having, 'having')
if (whereClauseObj.err === 0) { if (whereClauseObj.err === 0) {
queryParamsObj.query = queryParamsObj.query + ' having ' + whereClauseObj.query; queryParamsObj.query = queryParamsObj.query + ' having ' + whereClauseObj.query;
@ -244,11 +244,23 @@ class Xsql {
return orderBy return orderBy
} }
getColumnsForSelectStmtWithGrpBy(reqQueryParams, tableName) { getColumnsForSelectStmtWithGrpBy(reqQueryParams, tableName, queryParamsObj) {
return reqQueryParams._groupby + ',count(1) as _count'
let grpByCols = reqQueryParams._groupby.split(',');
for (var i = 0; i < grpByCols.length; ++i) {
if (i) {
queryParamsObj.query += ','
}
queryParamsObj.query += ' ??'
queryParamsObj.params.push(grpByCols[i])
}
queryParamsObj.query += ',count(1) as _count '
} }
getColumnsForSelectStmt(tableName, reqQueryParams) { getColumnsForSelectStmt(tableName, reqQueryParams, queryParamsObj) {
let table = this.metaDb.tables[tableName]; let table = this.metaDb.tables[tableName];
let cols = []; let cols = [];
@ -259,6 +271,7 @@ class Xsql {
if ('_fields' in reqQueryParams) { if ('_fields' in reqQueryParams) {
_fieldsInQuery = reqQueryParams['_fields'].split(',') _fieldsInQuery = reqQueryParams['_fields'].split(',')
} else { } else {
queryParamsObj.query += ' * '
return " * "; return " * ";
} }
@ -285,6 +298,14 @@ class Xsql {
} }
for (var i = 0; i < cols.length; ++i) {
if (i) {
queryParamsObj.query += ','
}
queryParamsObj.query += '??'
queryParamsObj.params.push(cols[i])
}
return cols.join(',') return cols.join(',')
} }

Loading…
Cancel
Save