cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/flow/javascript ScriptableConnection.java

Mon, 17 Mar 2003 10:51:47 -0800 

coliver     2003/03/17 10:53:16

  Modified:    src/java/org/apache/cocoon/components/flow/javascript
                        ScriptableConnection.java
  Log:
  avoid sql injection
  
  Revision  Changes    Path
  1.4       +40 -11    
cocoon-2.1/src/java/org/apache/cocoon/components/flow/javascript/ScriptableConnection.java
  
  Index: ScriptableConnection.java
  ===================================================================
  RCS file: 
/home/cvs/cocoon-2.1/src/java/org/apache/cocoon/components/flow/javascript/ScriptableConnection.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- ScriptableConnection.java 16 Mar 2003 17:49:12 -0000      1.3
  +++ ScriptableConnection.java 17 Mar 2003 18:53:16 -0000      1.4
  @@ -52,8 +52,8 @@
    * A ScriptableConnection provides two methods:
    *
    * <UL>
  - * <LI>query([String] sql, [Number] startRow, [Number] maxRows)</LI>
  - * <LI>update([String] sql)</LI>
  + * <LI>query([String] stmt, [Array] parameters, [Number] startRow, [Number] 
maxRows)</LI>
  + * <LI>update([String] stmt, [Array] parameters)</LI>
    * </UL>
    * The object returned by <code>query</code> contains the following
    * properties:
  @@ -205,13 +205,27 @@
           this.wrapper = Context.toObject(connection, parent);
       }
   
  -    public Object jsFunction_query(String sql, 
  -                                   int startRow, 
  -                                   int maxRows) 
  +    public Object jsFunction_query(String sql, Object params,
  +                                   int startRow, int maxRows) 
           throws JavaScriptException {
           try {
  -            Statement stmt = connection.createStatement();
  -            ResultSet rs = stmt.executeQuery(sql);
  +            PreparedStatement stmt = connection.prepareStatement(sql);
  +         Scriptable array = (Scriptable)params;
  +         if (array != Undefined.instance) {
  +             int len = (int)
  +                 Context.toNumber(ScriptableObject.getProperty(array, "length"));
  +             for (int i = 0; i < len; i++) {
  +                 Object val = ScriptableObject.getProperty(array, i);
  +                 if (val instanceof Wrapper) {
  +                     val = ((Wrapper)val).unwrap();
  +                 }
  +                 if (val == Scriptable.NOT_FOUND) {
  +                     val = null;
  +                 }
  +                 stmt.setObject(i + 1, val);
  +             }
  +         }
  +            ResultSet rs = stmt.executeQuery();
               if (maxRows == 0) {
                   maxRows = -1;
               }
  @@ -225,11 +239,26 @@
           }
       }
   
  -    public int jsFunction_update(String sql) 
  +    public int jsFunction_update(String sql, Object params) 
           throws JavaScriptException {
           try {
  -            Statement stmt = connection.createStatement();
  -            stmt.execute(sql);
  +            PreparedStatement stmt = connection.prepareStatement(sql);
  +         Scriptable array = (Scriptable)params;
  +         if (array != Undefined.instance) {
  +             int len = (int)
  +                 Context.toNumber(ScriptableObject.getProperty(array, "length"));
  +             for (int i = 0; i < len; i++) {
  +                 Object val = ScriptableObject.getProperty(array, i);
  +                 if (val instanceof Wrapper) {
  +                     val = ((Wrapper)val).unwrap();
  +                 }
  +                 if (val == Scriptable.NOT_FOUND) {
  +                     val = null;
  +                 }
  +                 stmt.setObject(i + 1, val);
  +             }
  +         }
  +            stmt.execute();
               return stmt.getUpdateCount();
           } catch (Exception e) {
               throw new JavaScriptException(e);

Reply via email to