Don’t allow use of $ param with no value in queries

Beforehand it was possible to do  SELECT * FROM $  which would show all of the variables defined. This is now not possible, and variables must be specified using their defined name.
This commit is contained in:
Tobie Morgan Hitchcock 2018-05-30 19:06:48 +01:00
parent 8ab01b510f
commit ddefed03e6

View file

@ -106,28 +106,32 @@ func (e *executor) fetch(ctx context.Context, val interface{}, doc *data.Doc) (o
case *sql.Param: case *sql.Param:
for _, s := range paramSearchKeys { if len(val.ID) > 0 {
if obj, ok := ctx.Value(s).(*data.Doc); ok { for _, s := range paramSearchKeys {
fnc := func(key string, val interface{}, path []string) interface{} { if obj, ok := ctx.Value(s).(*data.Doc); ok {
if len(path) > 0 {
switch res := val.(type) { fnc := func(key string, val interface{}, path []string) interface{} {
case []interface{}: if len(path) > 0 {
val, _ = e.fetchArray(ctx, res, doc) switch res := val.(type) {
return val case []interface{}:
case *sql.Thing: val, _ = e.fetchArray(ctx, res, doc)
val, _ = e.fetchThing(ctx, res, doc) return val
return val case *sql.Thing:
val, _ = e.fetchThing(ctx, res, doc)
return val
}
} }
return val
} }
return val
}
res := obj.Fetch(fnc, val.ID).Data() res := obj.Fetch(fnc, val.ID).Data()
if res != nil {
return e.fetch(ctx, res, doc)
}
if res != nil {
return e.fetch(ctx, res, doc)
} }
} }