IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

Parameterized post ids to avoid possible sql injection (#7575)

Browse Source
This commit is contained in:
Jonathan
2017-10-04 15:54:42 -04:00
committed by Chris
parent 87e816da23
commit dc9b1a1d6a
1 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
store/sqlstore/post_store.go
View File

@@ -10,6 +10,7 @@ import (
"strconv" "strconv"
"strings" "strings"
"bytes"
l4g "github.com/alecthomas/log4go" l4g "github.com/alecthomas/log4go"
"github.com/mattermost/mattermost-server/einterfaces" "github.com/mattermost/mattermost-server/einterfaces"
"github.com/mattermost/mattermost-server/model" "github.com/mattermost/mattermost-server/model"
@@ -1297,12 +1298,22 @@ func (s SqlPostStore) GetPostsByIds(postIds []string) store.StoreChannel {
go func() { go func() {
result := store.StoreResult{} result := store.StoreResult{}
inClause := `'` + strings.Join(postIds, `', '`) + `'` keys := bytes.Buffer{}
params := make(map[string]interface{})
for i, postId := range postIds {
if keys.Len() > 0 {
keys.WriteString(",")
}
query := `SELECT * FROM Posts WHERE Id in (` + inClause + `) and DeleteAt = 0 ORDER BY CreateAt DESC` key := "Post" + strconv.Itoa(i)
keys.WriteString(":" + key)
params[key] = postId
}
query := `SELECT * FROM Posts WHERE Id in (` + keys.String() + `) and DeleteAt = 0 ORDER BY CreateAt DESC`
var posts []*model.Post var posts []*model.Post
_, err := s.GetReplica().Select(&posts, query, map[string]interface{}{}) _, err := s.GetReplica().Select(&posts, query, params)
if err != nil { if err != nil {
l4g.Error(err) l4g.Error(err)