Don’t allow use of $ param with no value in queries
Beforehand it was possible to do SELECT * FROM $ which would show all of the variables defined. This is now not possible, and variables must be specified using their defined name.
This commit is contained in:
parent
8ab01b510f
commit
ddefed03e6
1 changed files with 20 additions and 16 deletions
36
db/fetch.go
36
db/fetch.go
|
@ -106,28 +106,32 @@ func (e *executor) fetch(ctx context.Context, val interface{}, doc *data.Doc) (o
|
||||||
|
|
||||||
case *sql.Param:
|
case *sql.Param:
|
||||||
|
|
||||||
for _, s := range paramSearchKeys {
|
if len(val.ID) > 0 {
|
||||||
|
|
||||||
if obj, ok := ctx.Value(s).(*data.Doc); ok {
|
for _, s := range paramSearchKeys {
|
||||||
|
|
||||||
fnc := func(key string, val interface{}, path []string) interface{} {
|
if obj, ok := ctx.Value(s).(*data.Doc); ok {
|
||||||
if len(path) > 0 {
|
|
||||||
switch res := val.(type) {
|
fnc := func(key string, val interface{}, path []string) interface{} {
|
||||||
case []interface{}:
|
if len(path) > 0 {
|
||||||
val, _ = e.fetchArray(ctx, res, doc)
|
switch res := val.(type) {
|
||||||
return val
|
case []interface{}:
|
||||||
case *sql.Thing:
|
val, _ = e.fetchArray(ctx, res, doc)
|
||||||
val, _ = e.fetchThing(ctx, res, doc)
|
return val
|
||||||
return val
|
case *sql.Thing:
|
||||||
|
val, _ = e.fetchThing(ctx, res, doc)
|
||||||
|
return val
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
return val
|
||||||
}
|
}
|
||||||
return val
|
|
||||||
}
|
|
||||||
|
|
||||||
res := obj.Fetch(fnc, val.ID).Data()
|
res := obj.Fetch(fnc, val.ID).Data()
|
||||||
|
|
||||||
|
if res != nil {
|
||||||
|
return e.fetch(ctx, res, doc)
|
||||||
|
}
|
||||||
|
|
||||||
if res != nil {
|
|
||||||
return e.fetch(ctx, res, doc)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue