Skip to content

Commit

Permalink
fix bug of sql injection in sqlBuilder
Browse files Browse the repository at this point in the history
  • Loading branch information
@PeterMu
PeterMu committed Jan 13, 2018
1 parent 1e3328a commit 6629ff5
Show file tree
Hide file tree
Showing 9 changed files with 3,596 additions and 36 deletions.
12 changes: 6 additions & 6 deletions dist/lib/pool.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ var _class = function () {
_createClass(_class, [{
key: 'getConn',
value: function () {
var _ref = _asyncToGenerator(regeneratorRuntime.mark(function _callee() {
var _ref = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee() {
var conn;
return regeneratorRuntime.wrap(function _callee$(_context) {
while (1) {
Expand Down Expand Up @@ -74,7 +74,7 @@ var _class = function () {
}, {
key: 'releaseConn',
value: function () {
var _ref2 = _asyncToGenerator(regeneratorRuntime.mark(function _callee2(conn) {
var _ref2 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee2(conn) {
return regeneratorRuntime.wrap(function _callee2$(_context2) {
while (1) {
switch (_context2.prev = _context2.next) {
Expand All @@ -98,7 +98,7 @@ var _class = function () {
}, {
key: 'query',
value: function () {
var _ref3 = _asyncToGenerator(regeneratorRuntime.mark(function _callee3(key, sql, params, transationConn) {
var _ref3 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee3(key, sql, params, transationConn) {
var that, conn, _that;

return regeneratorRuntime.wrap(function _callee3$(_context3) {
Expand Down Expand Up @@ -170,7 +170,7 @@ var _class = function () {
}, {
key: 'beginTransation',
value: function () {
var _ref4 = _asyncToGenerator(regeneratorRuntime.mark(function _callee4() {
var _ref4 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee4() {
var conn;
return regeneratorRuntime.wrap(function _callee4$(_context4) {
while (1) {
Expand Down Expand Up @@ -200,7 +200,7 @@ var _class = function () {
}, {
key: 'commit',
value: function () {
var _ref5 = _asyncToGenerator(regeneratorRuntime.mark(function _callee5(conn) {
var _ref5 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee5(conn) {
return regeneratorRuntime.wrap(function _callee5$(_context5) {
while (1) {
switch (_context5.prev = _context5.next) {
Expand Down Expand Up @@ -228,7 +228,7 @@ var _class = function () {
}, {
key: 'rollback',
value: function () {
var _ref6 = _asyncToGenerator(regeneratorRuntime.mark(function _callee6(conn) {
var _ref6 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee6(conn) {
return regeneratorRuntime.wrap(function _callee6$(_context6) {
while (1) {
switch (_context6.prev = _context6.next) {
Expand Down
18 changes: 13 additions & 5 deletions dist/lib/sqlBuilder.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,25 +3,28 @@
Object.defineProperty(exports, "__esModule", {
value: true
});
/**
* sql 构造
*/
exports.getDelSql = exports.getUpdateSql = exports.getInsertSql = undefined;

var _sqlstring = require('sqlstring');

var getInsertSql = exports.getInsertSql = function getInsertSql(tableName, data) {
var columns = [],
params = [],
holders = [],
sql = '';
tableName = (0, _sqlstring.escapeId)(tableName);
for (var key in data) {
columns.push(key);
columns.push((0, _sqlstring.escapeId)(key));
holders.push('?');
params.push(data[key]);
}
columns = columns.join(',');
holders = holders.join(',');
sql = 'insert into ' + tableName + ' (' + columns + ') values (' + holders + ')';
return { sql: sql, params: params };
};
}; /**
* sql 构造
*/

var getUpdateSql = exports.getUpdateSql = function getUpdateSql(tableName, data) {
var idKey = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : 'id';
Expand All @@ -30,8 +33,11 @@ var getUpdateSql = exports.getUpdateSql = function getUpdateSql(tableName, data)
params = [],
holders = [];
var where = '';
tableName = (0, _sqlstring.escapeId)(tableName);
idKey = (0, _sqlstring.escapeId)(idKey);
for (var key in data) {
if (key != idKey) {
key = (0, _sqlstring.escapeId)(key);
holders.push(key + ' = ?');
params.push(data[key]);
}
Expand All @@ -49,6 +55,8 @@ var getDelSql = exports.getDelSql = function getDelSql(tableName, id) {
var idKey = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : 'id';

var sql = 'delete from ' + tableName + ' where ' + idKey + ' = ?';
tableName = (0, _sqlstring.escapeId)(tableName);
idKey = (0, _sqlstring.escapeId)(idKey);
return {
sql: sql,
params: [id]
Expand Down
34 changes: 17 additions & 17 deletions dist/nodebatis.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ var NodeBatis = function () {
_createClass(NodeBatis, [{
key: 'execute',
value: function () {
var _ref = _asyncToGenerator(regeneratorRuntime.mark(function _callee(key, data, transationConn) {
var _ref = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee(key, data, transationConn) {
var sqlObj, result;
return regeneratorRuntime.wrap(function _callee$(_context) {
while (1) {
Expand Down Expand Up @@ -91,7 +91,7 @@ var NodeBatis = function () {
}, {
key: 'query',
value: function () {
var _ref2 = _asyncToGenerator(regeneratorRuntime.mark(function _callee2(key, data, transationConn) {
var _ref2 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee2(key, data, transationConn) {
return regeneratorRuntime.wrap(function _callee2$(_context2) {
while (1) {
switch (_context2.prev = _context2.next) {
Expand Down Expand Up @@ -119,7 +119,7 @@ var NodeBatis = function () {
}, {
key: 'insert',
value: function () {
var _ref3 = _asyncToGenerator(regeneratorRuntime.mark(function _callee3(tableName, data, transationConn) {
var _ref3 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee3(tableName, data, transationConn) {
var sqlObj, key;
return regeneratorRuntime.wrap(function _callee3$(_context3) {
while (1) {
Expand Down Expand Up @@ -162,7 +162,7 @@ var NodeBatis = function () {
}, {
key: 'update',
value: function () {
var _ref4 = _asyncToGenerator(regeneratorRuntime.mark(function _callee4(tableName, data, idKey, transationConn) {
var _ref4 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee4(tableName, data, idKey, transationConn) {
var sqlObj, key;
return regeneratorRuntime.wrap(function _callee4$(_context4) {
while (1) {
Expand Down Expand Up @@ -205,7 +205,7 @@ var NodeBatis = function () {
}, {
key: 'del',
value: function () {
var _ref5 = _asyncToGenerator(regeneratorRuntime.mark(function _callee5(tableName, id, idKey, transationConn) {
var _ref5 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee5(tableName, id, idKey, transationConn) {
var sqlObj, key;
return regeneratorRuntime.wrap(function _callee5$(_context5) {
while (1) {
Expand Down Expand Up @@ -251,7 +251,7 @@ var NodeBatis = function () {
}, {
key: 'getTransation',
value: function () {
var _ref6 = _asyncToGenerator(regeneratorRuntime.mark(function _callee13() {
var _ref6 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee13() {
var _this = this;

var that, conn, nodebatis;
Expand All @@ -268,7 +268,7 @@ var NodeBatis = function () {
nodebatis = {
conn: conn,
execute: function () {
var _ref7 = _asyncToGenerator(regeneratorRuntime.mark(function _callee6(key, data) {
var _ref7 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee6(key, data) {
return regeneratorRuntime.wrap(function _callee6$(_context6) {
while (1) {
switch (_context6.prev = _context6.next) {
Expand All @@ -292,7 +292,7 @@ var NodeBatis = function () {
};
}(),
query: function () {
var _ref8 = _asyncToGenerator(regeneratorRuntime.mark(function _callee7(key, data) {
var _ref8 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee7(key, data) {
return regeneratorRuntime.wrap(function _callee7$(_context7) {
while (1) {
switch (_context7.prev = _context7.next) {
Expand All @@ -316,7 +316,7 @@ var NodeBatis = function () {
};
}(),
insert: function () {
var _ref9 = _asyncToGenerator(regeneratorRuntime.mark(function _callee8(tableName, data) {
var _ref9 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee8(tableName, data) {
return regeneratorRuntime.wrap(function _callee8$(_context8) {
while (1) {
switch (_context8.prev = _context8.next) {
Expand All @@ -340,7 +340,7 @@ var NodeBatis = function () {
};
}(),
update: function () {
var _ref10 = _asyncToGenerator(regeneratorRuntime.mark(function _callee9(tableName, data, idKey) {
var _ref10 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee9(tableName, data, idKey) {
return regeneratorRuntime.wrap(function _callee9$(_context9) {
while (1) {
switch (_context9.prev = _context9.next) {
Expand All @@ -364,7 +364,7 @@ var NodeBatis = function () {
};
}(),
del: function () {
var _ref11 = _asyncToGenerator(regeneratorRuntime.mark(function _callee10(tableName, id, idKey) {
var _ref11 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee10(tableName, id, idKey) {
return regeneratorRuntime.wrap(function _callee10$(_context10) {
while (1) {
switch (_context10.prev = _context10.next) {
Expand All @@ -388,7 +388,7 @@ var NodeBatis = function () {
};
}(),
commit: function () {
var _ref12 = _asyncToGenerator(regeneratorRuntime.mark(function _callee11() {
var _ref12 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee11() {
var ret;
return regeneratorRuntime.wrap(function _callee11$(_context11) {
while (1) {
Expand Down Expand Up @@ -432,7 +432,7 @@ var NodeBatis = function () {
};
}(),
rollback: function () {
var _ref13 = _asyncToGenerator(regeneratorRuntime.mark(function _callee12() {
var _ref13 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee12() {
var ret;
return regeneratorRuntime.wrap(function _callee12$(_context12) {
while (1) {
Expand Down Expand Up @@ -495,7 +495,7 @@ var NodeBatis = function () {
}, {
key: 'beginTransation',
value: function () {
var _ref14 = _asyncToGenerator(regeneratorRuntime.mark(function _callee15() {
var _ref14 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee15() {
var _this2 = this;

var that, conn;
Expand All @@ -511,7 +511,7 @@ var NodeBatis = function () {
conn = _context15.sent;

conn.execute = function () {
var _ref15 = _asyncToGenerator(regeneratorRuntime.mark(function _callee14(key, data) {
var _ref15 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee14(key, data) {
return regeneratorRuntime.wrap(function _callee14$(_context14) {
while (1) {
switch (_context14.prev = _context14.next) {
Expand Down Expand Up @@ -553,7 +553,7 @@ var NodeBatis = function () {
}, {
key: 'commit',
value: function () {
var _ref16 = _asyncToGenerator(regeneratorRuntime.mark(function _callee16(conn) {
var _ref16 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee16(conn) {
return regeneratorRuntime.wrap(function _callee16$(_context16) {
while (1) {
switch (_context16.prev = _context16.next) {
Expand Down Expand Up @@ -581,7 +581,7 @@ var NodeBatis = function () {
}, {
key: 'rollback',
value: function () {
var _ref17 = _asyncToGenerator(regeneratorRuntime.mark(function _callee17(conn) {
var _ref17 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee17(conn) {
return regeneratorRuntime.wrap(function _callee17$(_context17) {
while (1) {
switch (_context17.prev = _context17.next) {
Expand Down
Loading

0 comments on commit 6629ff5

Please # to comment.