making order_by injection-safe

author miker <miker@dcc99617-32d9-48b4-a31d-7c20da2025e4>

Thu, 25 Jan 2007 19:52:51 +0000 (19:52 +0000)

committer miker <miker@dcc99617-32d9-48b4-a31d-7c20da2025e4>

Thu, 25 Jan 2007 19:52:51 +0000 (19:52 +0000)
author miker <miker@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Thu, 25 Jan 2007 19:52:51 +0000 (19:52 +0000)
committer miker <miker@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Thu, 25 Jan 2007 19:52:51 +0000 (19:52 +0000)
diff --git a/Open-ILS/src/c-apps/oils_cstore.c b/Open-ILS/src/c-apps/oils_cstore.c

index 586922c..e8c0492 100644 (file)
--- a/Open-ILS/src/c-apps/oils_cstore.c
+++ b/Open-ILS/src/c-apps/oils_cstore.c
@@ -1083,8 +1083,6 @@ char* searchFieldTransform (const char* class, osrfHash* field, jsonObject* node
                 osrfHashGet(field, "name")
         );
  
-
-
         char* pred = buffer_data(sql_buf);
         buffer_free(sql_buf);
         free(field_transform);
@@ -1522,45 +1520,63 @@ char* buildSELECT ( jsonObject* search_hash, jsonObject* order_hash, osrfHash* m
                                 if (!jsonObjectGetKey(selhash,snode->key))
                                         continue;
  
-                               if ( snode->item->type == JSON_ARRAY ) {
+                               if ( snode->item->type == JSON_HASH ) {
  
                                         jsonObjectIterator* order_itr = jsonNewObjectIterator( snode->item );
                                         while ( (onode = jsonObjectIteratorNext( order_itr )) ) {
  
+                                               if (!oilsIDLFindPath( "/%s/fields/%s", snode->key, onode->key ))
+                                                       continue;
+
+                                               char* direction = NULL;
                                                 if ( onode->item->type == JSON_HASH ) {
-                                                       string = searchFieldTransformPredicate(
-                                                               snode->key,
-                                                               oilsIDLFindPath(
-                                                                       "/%s/fields/%s",
+                                                       if ( jsonObjectGetKey( onode->item, "transform" ) ) {
+                                                               string = searchFieldTransform(
                                                                         snode->key,
-                                                                       jsonObjectToSimpleString(
-                                                                               jsonObjectGetKey(
-                                                                                       snode->item,
-                                                                                       "transform"
-                                                                               )
-                                                                       )
-                                                               ),
-                                                               snode
-                                                       );
+                                                                       oilsIDLFindPath( "/%s/fields/%s", snode->key, onode->key ),
+                                                                       onode->item
+                                                               );
+                                                       } else {
+                                                               growing_buffer* field_buf = buffer_init(16);
+                                                               buffer_fadd(field_buf, "\"%s\".%s", snode->key, onode->key);
+                                                               string = buffer_data(field_buf);
+                                                               buffer_free(field_buf);
+                                                       }
+
+                                                       if ( (_tmp = jsonObjectGetKey( onode->item, "direction" )) ) {
+                                                               direction = jsonObjectToSimpleString(_tmp);
+                                                               if (!strncasecmp(direction, "d", 1)) {
+                                                                       free(direction);
+                                                                       direction = " DESC";
+                                                               } else {
+                                                                       free(direction);
+                                                                       direction = " ASC";
+                                                               }
+                                                       }
+
                                                 } else {
-                                                       string = jsonObjectToSimpleString(snode->item);
+                                                       string = strdup(onode->key);
+                                                       direction = jsonObjectToSimpleString(onode->item);
+                                                       if (!strncasecmp(direction, "d", 1)) {
+                                                               free(direction);
+                                                               direction = " DESC";
+                                                       } else {
+                                                               free(direction);
+                                                               direction = " ASC";
+                                                       }
                                                 }
  
                                                 if (first) {
                                                         first = 0;
                                                 } else {
-                                                       buffer_add(order_buf, ",");
+                                                       buffer_add(order_buf, ", ");
                                                 }
  
                                                 buffer_add(order_buf, string);
                                                 free(string);
  
-                                               if ( (_tmp = jsonObjectGetKey( snode->item, "direction" )) ) {
-                                                       string = jsonObjectToSimpleString(_tmp);
-                                                       if (!strcasecmp(string,"desc")) {
-                                                               buffer_add(order_buf, " DESC");
-                                                       }
-                                                       free(string);
+                                               if (direction) {
+                                                       buffer_add(order_buf, direction);
                                                 }
  
                                         }
author	miker <miker@dcc99617-32d9-48b4-a31d-7c20da2025e4>
	Thu, 25 Jan 2007 19:52:51 +0000 (19:52 +0000)
committer	miker <miker@dcc99617-32d9-48b4-a31d-7c20da2025e4>
	Thu, 25 Jan 2007 19:52:51 +0000 (19:52 +0000)