[Mpuls-commits] r2733 - in base/trunk: . mpulsweb/lib

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue May 25 15:11:26 CEST 2010 

Author: bh
Date: 2010-05-25 15:11:24 +0200 (Tue, 25 May 2010)
New Revision: 2733

Modified:
   base/trunk/ChangeLog
   base/trunk/mpulsweb/lib/validators.py
Log:
* mpulsweb/lib/validators.py (FileExistsChecker.casedoc_sql)
(FileExistsChecker.globaldoc_sql): Fix parameter markers so that
the normal DB-API parameter substitution can be used.
(FileExistsChecker.validate_python): Use the standard DB-API
parameter substitution mechanism.  This avoids SQL-injections.


Modified: base/trunk/ChangeLog
===================================================================
--- base/trunk/ChangeLog	2010-05-21 18:06:12 UTC (rev 2732)
+++ base/trunk/ChangeLog	2010-05-25 13:11:24 UTC (rev 2733)
@@ -1,3 +1,11 @@
+2010-05-25  Bernhard Herzog  <bh at intevation.de>
+
+	* mpulsweb/lib/validators.py (FileExistsChecker.casedoc_sql)
+	(FileExistsChecker.globaldoc_sql): Fix parameter markers so that
+	the normal DB-API parameter substitution can be used.
+	(FileExistsChecker.validate_python): Use the standard DB-API
+	parameter substitution mechanism.  This avoids SQL-injections.
+
 2010-05-21  Bernhard Herzog  <bh at intevation.de>
 
 	* mpulsweb/lib/renderer.py (tag): Allow attribute names that

Modified: base/trunk/mpulsweb/lib/validators.py
===================================================================
--- base/trunk/mpulsweb/lib/validators.py	2010-05-21 18:06:12 UTC (rev 2732)
+++ base/trunk/mpulsweb/lib/validators.py	2010-05-25 13:11:24 UTC (rev 2733)
@@ -68,9 +68,9 @@
     """
 
     casedoc_sql = ("SELECT id FROM ka_fall_dokumente_tbl_view"
-                   " WHERE name = '%(filename)s' and master_id = %(case)s")
+                   " WHERE name = %(filename)s and master_id = %(case)s")
     globaldoc_sql = ("SELECT id FROM ka_global_dokumente_tbl_view"
-                     " WHERE name = '%(filename)s'")
+                     " WHERE name = %(filename)s")
     field_names = None
     validate_partial_form = True
     __unpackargs__ = ('*', 'field_names')
@@ -124,7 +124,7 @@
                 conn = db.getConnection()
                 cur = conn.cursor()
                 fields = {'filename': name, 'case': case}
-                cur.execute(sql % fields)
+                cur.execute(sql, fields)
                 result = cur.fetchone()
                 if result:
                     errors['name'] = self.message('fileexists', state)

More information about the Mpuls-commits mailing list