mirror
/
datasette
kopia lustrzana https://github.com/simonw/datasette
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Use escape_sqlite() more consistently

csv
Simon Willison 2018-05-15 10:00:39 -05:00 zatwierdzone przez Simon Willison
rodzic 8a0bd68c39
commit a892f9a0bd
1 zmienionych plików z 16 dodań i 9 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

25
datasette/views/table.py
Wyświetl plik

@ -73,9 +73,13 @@ class RowTableShared(BaseView):
continue continue
ids_to_lookup = set([row[fk["column"]] for row in rows]) ids_to_lookup = set([row[fk["column"]] for row in rows])
sql = 'select "{other_column}", "{label_column}" from {other_table} where "{other_column}" in ({placeholders})'.format( sql = '''
other_column=fk["other_column"], select {other_column}, {label_column}
label_column=label_column, from {other_table}
where {other_column} in ({placeholders})
'''.format(
other_column=escape_sqlite(fk["other_column"]),
label_column=escape_sqlite(label_column),
other_table=escape_sqlite(fk["other_table"]), other_table=escape_sqlite(fk["other_table"]),
placeholders=", ".join(["?"] * len(ids_to_lookup)), placeholders=", ".join(["?"] * len(ids_to_lookup)),
) )
@ -300,8 +304,8 @@ class TableView(RowTableShared):
# Simple ?_search=xxx # Simple ?_search=xxx
search = search_args["_search"] search = search_args["_search"]
where_clauses.append( where_clauses.append(
"rowid in (select rowid from [{fts_table}] where [{fts_table}] match :search)".format( "rowid in (select rowid from {fts_table} where {fts_table} match :search)".format(
fts_table=fts_table fts_table=escape_sqlite(fts_table),
) )
) )
search_descriptions.append('search matches "{}"'.format(search)) search_descriptions.append('search matches "{}"'.format(search))
@ -315,8 +319,10 @@ class TableView(RowTableShared):
raise DatasetteError("Cannot search by that column", status=400) raise DatasetteError("Cannot search by that column", status=400)
where_clauses.append( where_clauses.append(
"rowid in (select rowid from [{fts_table}] where [{search_col}] match :search_{i})".format( "rowid in (select rowid from {fts_table} where {search_col} match :search_{i})".format(
fts_table=fts_table, search_col=search_col, i=i fts_table=escape_sqlite(fts_table),
search_col=escape_sqlite(search_col),
i=i
) )
) )
search_descriptions.append( search_descriptions.append(
@ -786,8 +792,9 @@ class RowView(RowTableShared):
sql = "select " + ", ".join( sql = "select " + ", ".join(
[ [
'(select count(*) from {table} where "{column}"=:id)'.format( '(select count(*) from {table} where {column}=:id)'.format(
table=escape_sqlite(fk["other_table"]), column=fk["other_column"] table=escape_sqlite(fk["other_table"]),
column=escape_sqlite(fk["other_column"]),
) )
for fk in foreign_keys for fk in foreign_keys
] ]