[Mpuls-commits] r2733 - in base/trunk: . mpulsweb/lib
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Tue May 25 15:11:26 CEST 2010
Author: bh
Date: 2010-05-25 15:11:24 +0200 (Tue, 25 May 2010)
New Revision: 2733
Modified:
base/trunk/ChangeLog
base/trunk/mpulsweb/lib/validators.py
Log:
* mpulsweb/lib/validators.py (FileExistsChecker.casedoc_sql)
(FileExistsChecker.globaldoc_sql): Fix parameter markers so that
the normal DB-API parameter substitution can be used.
(FileExistsChecker.validate_python): Use the standard DB-API
parameter substitution mechanism. This avoids SQL-injections.
Modified: base/trunk/ChangeLog
===================================================================
--- base/trunk/ChangeLog 2010-05-21 18:06:12 UTC (rev 2732)
+++ base/trunk/ChangeLog 2010-05-25 13:11:24 UTC (rev 2733)
@@ -1,3 +1,11 @@
+2010-05-25 Bernhard Herzog <bh at intevation.de>
+
+ * mpulsweb/lib/validators.py (FileExistsChecker.casedoc_sql)
+ (FileExistsChecker.globaldoc_sql): Fix parameter markers so that
+ the normal DB-API parameter substitution can be used.
+ (FileExistsChecker.validate_python): Use the standard DB-API
+ parameter substitution mechanism. This avoids SQL-injections.
+
2010-05-21 Bernhard Herzog <bh at intevation.de>
* mpulsweb/lib/renderer.py (tag): Allow attribute names that
Modified: base/trunk/mpulsweb/lib/validators.py
===================================================================
--- base/trunk/mpulsweb/lib/validators.py 2010-05-21 18:06:12 UTC (rev 2732)
+++ base/trunk/mpulsweb/lib/validators.py 2010-05-25 13:11:24 UTC (rev 2733)
@@ -68,9 +68,9 @@
"""
casedoc_sql = ("SELECT id FROM ka_fall_dokumente_tbl_view"
- " WHERE name = '%(filename)s' and master_id = %(case)s")
+ " WHERE name = %(filename)s and master_id = %(case)s")
globaldoc_sql = ("SELECT id FROM ka_global_dokumente_tbl_view"
- " WHERE name = '%(filename)s'")
+ " WHERE name = %(filename)s")
field_names = None
validate_partial_form = True
__unpackargs__ = ('*', 'field_names')
@@ -124,7 +124,7 @@
conn = db.getConnection()
cur = conn.cursor()
fields = {'filename': name, 'case': case}
- cur.execute(sql % fields)
+ cur.execute(sql, fields)
result = cur.fetchone()
if result:
errors['name'] = self.message('fileexists', state)
More information about the Mpuls-commits
mailing list