sql: pass offset/limit as parameters to prepared statement (#43101)
(and note it is not possible to do so for ORDER BY)
This commit is contained in:
parent
36e55b6865
commit
92f7c78835
16
wcs/sql.py
16
wcs/sql.py
|
|
@ -257,10 +257,10 @@ def parse_clause(clause):
|
|||
# - a callable, or None if all clauses have been successfully translated
|
||||
|
||||
if clause is None:
|
||||
return ([], None, None)
|
||||
return ([], {}, None)
|
||||
|
||||
if callable(clause): # already a callable
|
||||
return ([], None, clause)
|
||||
if callable(clause): # already a callable
|
||||
return ([], {}, clause)
|
||||
|
||||
# create 'WHERE' clauses
|
||||
func_clauses = []
|
||||
|
|
@ -1177,6 +1177,9 @@ class SqlMixin(object):
|
|||
sql_statement += ' WHERE ' + ' AND '.join(where_clauses)
|
||||
|
||||
if order_by:
|
||||
# [SEC_ORDER] security note: it is not possible to use
|
||||
# prepared statements for ORDER BY clauses, therefore input
|
||||
# is controlled beforehand (see misc.get_order_by_or_400).
|
||||
if order_by.startswith('-'):
|
||||
order_by = order_by[1:]
|
||||
sql_statement += ' ORDER BY %s DESC' % order_by.replace('-', '_')
|
||||
|
|
@ -1185,9 +1188,11 @@ class SqlMixin(object):
|
|||
|
||||
if not func_clause:
|
||||
if limit:
|
||||
sql_statement += ' LIMIT %s' % limit
|
||||
sql_statement += ' LIMIT %(limit)s'
|
||||
parameters['limit'] = limit
|
||||
if offset:
|
||||
sql_statement += ' OFFSET %s' % offset
|
||||
sql_statement += ' OFFSET %(offset)s'
|
||||
parameters['offset'] = offset
|
||||
|
||||
conn, cur = get_connection_and_cursor()
|
||||
cur.execute(sql_statement, parameters)
|
||||
|
|
@ -1335,6 +1340,7 @@ class SqlMixin(object):
|
|||
assert not func_clause
|
||||
if where_clauses:
|
||||
sql_statement += ' WHERE ' + ' AND '.join(where_clauses)
|
||||
# security note, refer to [SEC_ORDER]
|
||||
if order_by.startswith('-'):
|
||||
order_by = order_by[1:]
|
||||
sql_statement += ' ORDER BY %s DESC' % order_by.replace('-', '_')
|
||||
|
|
|
|||
Loading…
Reference in New Issue