oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

safer asset reading sql and better parameter validation

Browse source
This commit is contained in:
Graham Knop 2011-07-05 08:35:26 -05:00
parent 6bf9fbb8d9
commit c4af0e33df
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib/WebGUI/Asset.pm
View file

@ -343,6 +343,9 @@ around BUILDARGS => sub {
WebGUI::Error::InvalidParam->throw(error => "Cannot find revision date for assetId", param => $assetId); WebGUI::Error::InvalidParam->throw(error => "Cannot find revision date for assetId", param => $assetId);
} }
} }
elsif ( $revisionDate =~ /[^0-9]/) {
WebGUI::Error::InvalidParam->throw(error => "Invalid revision date given", param => $revisionDate);
}
my $properties = $session->cache->get("asset".$assetId.$revisionDate); my $properties = $session->cache->get("asset".$assetId.$revisionDate);
unless (exists $properties->{assetId}) { # can we get it from cache? unless (exists $properties->{assetId}) { # can we get it from cache?
@ -353,7 +356,8 @@ around BUILDARGS => sub {
# join all the tables # join all the tables
foreach my $table ($className->meta->get_tables) { foreach my $table ($className->meta->get_tables) {
$sql .= ",".$table; $sql .= ",".$table;
$where .= " and (asset.assetId=".$table.".assetId and ".$table.".revisionDate=".$revisionDate.")"; $where .= " and (asset.assetId=".$table.".assetId and ".$table.".revisionDate=?)";
push @$placeHolders, $revisionDate;
} }
# fetch properties # fetch properties