verdnatura-mirror
/
loopback-datasource-juggler
mirror of https://github.com/loopbackio/loopback-datasource-juggler
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix injection in ids

This commit is contained in:
Anatoliy Chakkaev 2013-04-18 22:59:08 +04:00 committed by Raymond Feng
parent 1a91605340
commit 504ae56acd
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/sql.js
View File

@ -43,7 +43,7 @@ BaseSQL.prototype.defineProperty = function (model, prop, params) {
};
BaseSQL.prototype.save = function (model, data, callback) {
var sql = 'UPDATE ' + this.tableEscaped(model) + ' SET ' + this.toFields(model, data) + ' WHERE ' + this.escapeName('id') + ' = ' + data.id;
var sql = 'UPDATE ' + this.tableEscaped(model) + ' SET ' + this.toFields(model, data) + ' WHERE ' + this.escapeName('id') + ' = ' + Number(data.id);
this.query(sql, function (err) {
callback(err);
@ -53,7 +53,7 @@ BaseSQL.prototype.save = function (model, data, callback) {
BaseSQL.prototype.exists = function (model, id, callback) {
var sql = 'SELECT 1 FROM ' +
this.tableEscaped(model) + ' WHERE ' + this.escapeName('id') + ' = ' + id + ' LIMIT 1';
this.tableEscaped(model) + ' WHERE ' + this.escapeName('id') + ' = ' + Number(id) + ' LIMIT 1';
this.query(sql, function (err, data) {
if (err) return callback(err);
@ -63,7 +63,7 @@ BaseSQL.prototype.exists = function (model, id, callback) {
BaseSQL.prototype.find = function find(model, id, callback) {
var sql = 'SELECT * FROM ' +
this.tableEscaped(model) + ' WHERE ' + this.escapeName('id') + ' = ' + id + ' LIMIT 1';
this.tableEscaped(model) + ' WHERE ' + this.escapeName('id') + ' = ' + Number(id) + ' LIMIT 1';
this.query(sql, function (err, data) {
if (data && data.length === 1) {
@ -77,7 +77,7 @@ BaseSQL.prototype.find = function find(model, id, callback) {
BaseSQL.prototype.destroy = function destroy(model, id, callback) {
var sql = 'DELETE FROM ' +
this.tableEscaped(model) + ' WHERE ' + this.escapeName('id') + ' = ' + id;
this.tableEscaped(model) + ' WHERE ' + this.escapeName('id') + ' = ' + Number(id);
this.command(sql, function (err) {
callback(err);