|
|
|
| The following comment has been added to this issue: |
[ Permlink ] |
|
Author: Georges Racinet
Date: 02/05/07 17:03
Comment:
Design draft with OG:
- two public static methods on SQLQueryParser:
+ public String escapeStringLiteral(String s): escape a single literal
+ public String formatQuery(String format, Object... params): replaces occurences of '?' in the format by escaped serialization of parameters
+ public parse(String format, Object... params): relies on the previous one and the existing sig.
- Stateful QueryModel builds its query incrementally. Therefore it'll use escapeStringLiteral
- Stateless QueryModel will use the new parse sig to fire its requests and/or formatQuery to provide query string
|
|
Currently client components find documents by forging a string query such as:
String myQuery = "SELECT * FROM document WHERE prefix1:field1 = 'value1' AND prefix2:field2 = 'value2'"
and then feeding it to:
documentManager.query(myQuery)
Which is bad since it's up to the client code to implement NXQL escaping (security protection against NXQL injection).
So the new API instead accept:
String myQuery = "SELECT * FROM document WHERE prefix1:field1 = ? AND prefix2:field2 = ?"
Object[] params = new {"value1", "value2"};
documentManager.query(myQuery, params);
and the NXQL escaping should be handled by the server as this is done with the PreparedStatement class of JDBC for instance.
|
|
|
|
![]() |
|
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
