suzanne.soy/zotero
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated Item.save() to use bound parameters for most queries so that values are properly escaped (and for somewhat cleaner code)

Browse Source
This commit is contained in:
Dan Stillman 2006-06-02 07:03:24 +00:00
parent 639a006efb
commit a7d5685da7
1 changed files with 77 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
chrome/chromeFiles/content/scholar/xpcom/data_access.js
View File

@ -350,18 +350,23 @@ Scholar.Item.prototype.save = function(){
// //
var sql = "UPDATE items SET "; var sql = "UPDATE items SET ";
var sql2; var sql2;
var sqlValues = [];
if (this._changed.has('itemTypeID')){ if (this._changed.has('itemTypeID')){
sql += "itemTypeID='" + this.getField('itemTypeID') + "', "; sql += "itemTypeID=?, ";
sqlValues.push({'int':this.getField('itemTypeID')});
} }
if (this._changed.has('title')){ if (this._changed.has('title')){
sql += "title='" + this.getField('title') + "', "; sql += "title=?, ";
sqlValues.push({'string':this.getField('title')});
} }
// Always update modified time // Always update modified time
sql += "dateModified=CURRENT_TIMESTAMP "; sql += "dateModified=CURRENT_TIMESTAMP ";
sql += "WHERE itemID=" + this.getID() + ";\n"; sql += "WHERE itemID=?;\n";
sqlValues.push({'int':this.getID()});
Scholar.DB.query(sql, sqlValues);
// //
// Creators // Creators
@ -403,25 +408,40 @@ Scholar.Item.prototype.save = function(){
+ ' AND orderIndex=' + orderIndex; + ' AND orderIndex=' + orderIndex;
if (Scholar.DB.valueQuery(sql2)){ if (Scholar.DB.valueQuery(sql2)){
sql += 'UPDATE itemCreators SET ' sql = 'UPDATE itemCreators SET creatorID=?, '
+ 'creatorID=' + creatorID +', ' + 'creatorTypeID=? WHERE itemID=?'
+ 'creatorTypeID=' + creator['creatorTypeID'] + ' ' + " AND orderIndex=?;\n";
+ 'WHERE itemID=' + this.getID()
+ ' AND orderIndex=' + orderIndex + ";\n"; sqlValues = [
{'int':creatorID},
{'int':creator['creatorTypeID']},
{'int':this.getID()},
{'int':orderIndex}
];
Scholar.DB.query(sql, sqlValues);
} }
// Otherwise insert // Otherwise insert
else { else {
sql += 'INSERT INTO itemCreators VALUES (' sql = "INSERT INTO itemCreators VALUES (?,?,?,?);\n";
+ itemID + ', ' + creatorID + ', '
+ creator['creatorTypeID'] + ', ' + orderIndex sqlValues = [
+ ");\n"; {'int':itemID},
{'int':creatorID},
{'int':creator['creatorTypeID']},
{'int':orderIndex}
];
Scholar.DB.query(sql, sqlValues);
} }
} }
// Append the SQL to delete obsolete creators // Append the SQL to delete obsolete creators
// //
// TODO: fix this so it actually purges the internal memory // TODO: fix this so it actually purges the internal memory
sql += Scholar.Creators.purge(true) + "\n"; if (sql = Scholar.Creators.purge(true)){
Scholar.DB.query(sql);
}
} }
@ -438,28 +458,41 @@ Scholar.Item.prototype.save = function(){
+ ' AND fieldID=' + fieldID; + ' AND fieldID=' + fieldID;
if (Scholar.DB.valueQuery(sql2)){ if (Scholar.DB.valueQuery(sql2)){
sql += "UPDATE itemData SET value="; sqlValues = [];
sql = "UPDATE itemData SET value=?";
// Take advantage of SQLite's manifest typing // Take advantage of SQLite's manifest typing
if (Scholar.ItemFields.isInteger(fieldID)){ if (Scholar.ItemFields.isInteger(fieldID)){
sql += this.getField(fieldID); sqlValues.push({'int':this.getField(fieldID)});
} }
else { else {
sql += "'" + this.getField(fieldID) + "'"; sqlValues.push({'string':this.getField(fieldID)});
} }
sql += " WHERE itemID=" + this.getID() sql += " WHERE itemID=? AND fieldID=?;\n";
+ ' AND fieldID=' + fieldID + ";\n";
sqlValues.push(
{'int':this.getID()},
{'int':fieldID}
);
Scholar.DB.query(sql, sqlValues);
} }
else { else {
sql += 'INSERT INTO itemData VALUES (' sql = "INSERT INTO itemData VALUES (?,?,?);\n";
+ this.getID() + ',' + fieldID + ',';
sqlValues = [
{'int':this.getID()},
{'int':fieldID},
];
if (Scholar.ItemFields.isInteger(fieldID)){ if (Scholar.ItemFields.isInteger(fieldID)){
sql += this.getField(fieldID); sqlValues.push({'int':this.getField(fieldID)});
} }
else { else {
sql += "'" + this.getField(fieldID) + "'"; sqlValues.push({'string':this.getField(fieldID)});
} }
sql += ");\n";
Scholar.DB.query(sql, sqlValues);
} }
} }
// If field changed and is empty, mark row for deletion // If field changed and is empty, mark row for deletion
@ -470,14 +503,13 @@ Scholar.Item.prototype.save = function(){
// Delete blank fields // Delete blank fields
if (del.length){ if (del.length){
sql += 'DELETE from itemData ' sql = 'DELETE from itemData '
+ 'WHERE itemID=' + this.getID() + ' ' + 'WHERE itemID=' + this.getID() + ' '
+ 'AND fieldID IN (' + del.join() + ");\n"; + 'AND fieldID IN (' + del.join() + ");\n";
Scholar.DB.query(sql);
} }
} }
Scholar.DB.query(sql);
Scholar.DB.commitTransaction(); Scholar.DB.commitTransaction();
} }
catch (e){ catch (e){
@ -528,24 +560,33 @@ Scholar.Item.prototype.save = function(){
// Set itemData // Set itemData
if (this._changedItemData.length){ if (this._changedItemData.length){
sql = ''; sql = '';
sqlValues = [];
for (fieldID in this._changedItemData.items){ for (fieldID in this._changedItemData.items){
if (!this.getField(fieldID)){ if (!this.getField(fieldID)){
continue; continue;
} }
sql += 'INSERT INTO itemData VALUES (' + // TODO: update DB methods so that this can be
itemID + ',' + fieldID + ','; // implemented as a prepared statement that gets
if (Scholar.ItemFields.isInteger(fieldID)){ // called multiple times
sql += this.getField(fieldID); sql += "INSERT INTO itemData VALUES (?,?,?);\n";
}
else { sqlValues.push(
sql += "'" + this.getField(fieldID) + "'"; {'int':itemID},
} {'int':fieldID}
sql += ");\n"; );
if (Scholar.ItemFields.isInteger(fieldID)){
sqlValues.push({'int':this.getField(fieldID)});
}
else {
sqlValues.push({'string':this.getField(fieldID)});
}
} }
if (sql){ if (sql){
Scholar.DB.query(sql); Scholar.DB.query(sql, sqlValues);
} }
} }