antville/antville
antville/antville
1
1
Fork 0
Code Issues 51 Pull requests 9 Projects Releases 9 Wiki Activity Actions

Prevent SQL injection in search by using prepared statement

Browse source
This commit is contained in:
Tobi Schäfer 2023-03-03 17:59:59 +01:00
parent a5424825b8
commit c7cf535652
2 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
code/Global/Sql.js
View file

@ -183,9 +183,9 @@ Sql.PURGEREFERRERS = "delete from log where action = 'main' and " +
* SQL query for searching stories.
* @constant
*/
Sql.STORY_SEARCH = "select content.id from content, site, metadata, account as creator, account as modifier where site.id = $0 and content.prototype = 'Story' and site.id = content.site_id and content.status in ('public', 'shared', 'open') and content.creator_id = creator.id and content.modifier_id = modifier.id and creator.status <> 'deleted' and modifier.status <> 'deleted' and content.prototype = metadata.parent_type and content.id = metadata.parent_id and metadata.name in ('title', 'text') and lower(metadata.value) like lower('%$1%') group by content.id, content.created order by content.created desc limit $2";
Sql.STORY_SEARCH = "select content.id from content, site, metadata, account as creator, account as modifier where site.id = ? and content.prototype = 'Story' and site.id = content.site_id and content.status in ('public', 'shared', 'open') and content.creator_id = creator.id and content.modifier_id = modifier.id and creator.status <> 'deleted' and modifier.status <> 'deleted' and content.prototype = metadata.parent_type and content.id = metadata.parent_id and metadata.name in ('title', 'text') and lower(metadata.value) like lower(?) group by content.id, content.created order by content.created desc limit $0";
Sql.COMMENT_SEARCH = "select comment.id from content as comment, content as story, site, metadata, account as creator, account as modifier where site.id = $0 and comment.prototype = 'Comment' and site.id = comment.site_id and comment.story_id = story.id and story.status in ('public', 'shared', 'open') and story.comment_mode in ('open') and comment.creator_id = creator.id and comment.modifier_id = modifier.id and creator.status <> 'deleted' and modifier.status <> 'deleted' and comment.prototype = metadata.parent_type and comment.id = metadata.parent_id and metadata.name in ('title', 'text') and lower(metadata.value) like lower('%$1%') group by comment.id, comment.created order by comment.created desc limit $2";
Sql.COMMENT_SEARCH = "select comment.id from content as comment, content as story, site, metadata, account as creator, account as modifier where site.id = ? and comment.prototype = 'Comment' and site.id = comment.site_id and comment.story_id = story.id and story.status in ('public', 'shared', 'open') and story.comment_mode in ('open') and comment.creator_id = creator.id and comment.modifier_id = modifier.id and creator.status <> 'deleted' and modifier.status <> 'deleted' and comment.prototype = metadata.parent_type and comment.id = metadata.parent_id and metadata.name in ('title', 'text') and lower(metadata.value) like lower(?) group by comment.id, comment.created order by comment.created desc limit $0";
/**
* SQL query for searching accounts which are not already members of the desired site.

6
code/Site/Site.js
View file

@ -954,7 +954,11 @@ Site.prototype.search = function (type, term, limit) {
} else if (term) {
var counter = 0;
var sql = new Sql({quote: false});
sql.retrieve(query, this._id, term, limit + 1);
query = sql.prepare(query, statement => {
statement.setInt(1, this._id);
statement.setString(2, '%' + term + '%');
});
sql.retrieve(query, limit + 1);
sql.traverse(function () {
if (counter < limit) {
search.result.push(Story.getById(this.id));