oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

disabled write actions in SQL macro for security reasons

Browse source
This commit is contained in:
JT Smith 2003-07-01 23:55:45 +00:00
parent 5788df76a8
commit 2c7576bdad
3 changed files with 25 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

28
lib/WebGUI/Macro/SQL.pm
View file

@ -20,19 +20,23 @@ sub process {
my ($output, @data, $rownum, $temp);
my ($statement, $format) = WebGUI::Macro::getParams(shift);
$format = '^0;' if ($format eq "");
my $sth = WebGUI::SQL->unconditionalRead($statement);
unless ($sth->errorCode < 1) {
return '<p><b>SQL Macro Failed:</b> '.$sth->errorMessage.'<p>';
if ($statement =~ /^select/i || $statement =~ /^show/i || $statement =~ /^describe/i) {
my $sth = WebGUI::SQL->unconditionalRead($statement);
unless ($sth->errorCode < 1) {
return '<p><b>SQL Macro Failed:</b> '.$sth->errorMessage.'<p>';
} else {
while (@data = $sth->array) {
$temp = $format;
$temp =~ s/\^(\d+)\;/$data[$1]/g;
$rownum++;
$temp =~ s/\^rownum\;/$rownum/g;
$output .= $temp;
}
$sth->finish;
return $output;
}
} else {
while (@data = $sth->array) {
$temp = $format;
$temp =~ s/\^(\d+)\;/$data[$1]/g;
$rownum++;
$temp =~ s/\^rownum\;/$rownum/g;
$output .= $temp;
}
$sth->finish;
return $output;
return "Cannot execute this type of query.";
}
}

2
lib/WebGUI/Wobject/SQLReport.pm
View file

@ -185,7 +185,7 @@ sub www_view {
WebGUI::ErrorHandler::warn("SQLReport [".$_[0]->get("wobjectId")."] The DSN specified is of an improper format.");
}
if (defined $dbh) {
if ($query =~ /select/i || $query =~ /show/i || $query =~ /describe/i) {
if ($query =~ /^select/i || $query =~ /^show/i || $query =~ /^describe/i) {
$sth = WebGUI::SQL->unconditionalRead($query,$dbh);
unless ($sth->errorCode < 1) {
$errorMessage = $sth->errorMessage;