summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJonathan <jonfritz@gmail.com>2017-10-04 15:54:42 -0400
committerChris <ccbrown112@gmail.com>2017-10-04 12:54:42 -0700
commitdc9b1a1d6a0fe7ad2e18597cb46f3874736b4b40 (patch)
tree818778d639fddd01deb316c5378f8ae1d4d1c471
parent87e816da23929316af1935636907d39d18e97316 (diff)
downloadchat-dc9b1a1d6a0fe7ad2e18597cb46f3874736b4b40.tar.gz
chat-dc9b1a1d6a0fe7ad2e18597cb46f3874736b4b40.tar.bz2
chat-dc9b1a1d6a0fe7ad2e18597cb46f3874736b4b40.zip
Parameterized post ids to avoid possible sql injection (#7575)
Diffstat
-rw-r--r--store/sqlstore/post_store.go17
1 files changed, 14 insertions, 3 deletions
diff --git a/store/sqlstore/post_store.go b/store/sqlstore/post_store.go
index fb82dd724..b3e0bdbb0 100644
--- a/store/sqlstore/post_store.go
+++ b/store/sqlstore/post_store.go
@@ -10,6 +10,7 @@ import (
"strconv"
"strings"
+ "bytes"
l4g "github.com/alecthomas/log4go"
"github.com/mattermost/mattermost-server/einterfaces"
"github.com/mattermost/mattermost-server/model"
@@ -1297,12 +1298,22 @@ func (s SqlPostStore) GetPostsByIds(postIds []string) store.StoreChannel {
go func() {
result := store.StoreResult{}
- inClause := `'` + strings.Join(postIds, `', '`) + `'`
+ keys := bytes.Buffer{}
+ params := make(map[string]interface{})
+ for i, postId := range postIds {
+ if keys.Len() > 0 {
+ keys.WriteString(",")
+ }
+
+ key := "Post" + strconv.Itoa(i)
+ keys.WriteString(":" + key)
+ params[key] = postId
+ }
- query := `SELECT * FROM Posts WHERE Id in (` + inClause + `) and DeleteAt = 0 ORDER BY CreateAt DESC`
+ query := `SELECT * FROM Posts WHERE Id in (` + keys.String() + `) and DeleteAt = 0 ORDER BY CreateAt DESC`
var posts []*model.Post
- _, err := s.GetReplica().Select(&posts, query, map[string]interface{}{})
+ _, err := s.GetReplica().Select(&posts, query, params)
if err != nil {
l4g.Error(err)
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-05-19 20:30:01 +0000