openinfra
/
openstackid-resources
Code Issues Proposed changes

API filter server error 

set use of named params to avoid errors
and possible sql injection attacks

Change-Id: Ic9443e22512687af2f84bea2ce5768c970419763
This commit is contained in:
Sebastian Marcet 2017-10-30 19:38:45 -03:00
parent e8ee1dcc02
commit 298bf06a16
1 changed files with 22 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
app/Http/Utils/Filters/Filter.php
View File

@ -154,6 +154,10 @@ final class Filter
*/ */
public function apply2Query(QueryBuilder $query, array $mappings) public function apply2Query(QueryBuilder $query, array $mappings)
{ {
$param_prefix = "param_%s";
$param_idx = 1;
$bindings = [];
foreach ($this->filters as $filter) { foreach ($this->filters as $filter) {
if ($filter instanceof FilterElement && isset($mappings[$filter->getField()])) { if ($filter instanceof FilterElement && isset($mappings[$filter->getField()])) {
$mapping = $mappings[$filter->getField()]; $mapping = $mappings[$filter->getField()];
@ -172,9 +176,10 @@ final class Filter
} }
if(!empty($condition)) $condition .= ' OR '; if(!empty($condition)) $condition .= ' OR ';
$condition .= sprintf("%s %s %s", $mapping_or[0], $filter->getOperator(), $value); $bindings[sprintf($param_prefix, $param_idx)] = $value;
$condition .= sprintf("%s %s :%s", $mapping_or[0], $filter->getOperator(), sprintf($param_prefix, $param_idx));
++$param_idx;
} }
$query->andWhere($condition); $query->andWhere($condition);
} }
else { else {
@ -184,8 +189,9 @@ final class Filter
if (count($mapping) > 1) { if (count($mapping) > 1) {
$value = $this->convertValue($value, $mapping[1]); $value = $this->convertValue($value, $mapping[1]);
} }
$bindings[sprintf($param_prefix, $param_idx)] = $value;
$query = $query->andWhere(sprintf("%s %s %s", $mapping[0], $filter->getOperator(), $value)); $query = $query->andWhere(sprintf("%s %s :%s", $mapping[0], $filter->getOperator(), sprintf($param_prefix, $param_idx)));
++$param_idx;
} }
} }
else if (is_array($filter)) { else if (is_array($filter)) {
@ -211,7 +217,9 @@ final class Filter
} }
if(!empty($condition)) $condition .= ' OR '; if(!empty($condition)) $condition .= ' OR ';
$condition .= sprintf(" %s %s %s ", $mapping_or[0], $e->getOperator(), $value); $bindings[sprintf($param_prefix, $param_idx)] = $value;
$condition .= sprintf(" %s %s :%s ", $mapping_or[0], $e->getOperator(), sprintf($param_prefix, $param_idx));
++$param_idx;
} }
if(!empty($sub_or_query)) $sub_or_query .= ' OR '; if(!empty($sub_or_query)) $sub_or_query .= ' OR ';
$sub_or_query .= ' ( '.$condition.' ) '; $sub_or_query .= ' ( '.$condition.' ) ';
@ -225,13 +233,18 @@ final class Filter
} }
if(!empty($sub_or_query)) $sub_or_query .= ' OR '; if(!empty($sub_or_query)) $sub_or_query .= ' OR ';
$sub_or_query .= sprintf(" %s %s %s ", $mapping[0], $e->getOperator(), $value);
$bindings[sprintf($param_prefix, $param_idx)] = $value;
$sub_or_query .= sprintf(" %s %s :%s ", $mapping[0], $e->getOperator(), sprintf($param_prefix, $param_idx));
++$param_idx;
} }
} }
} }
$query->andWhere($sub_or_query); $query->andWhere($sub_or_query);
} }
} }
foreach($bindings as $param => $value)
$query->setParameter($param, $value);
return $this; return $this;
} }
@ -245,13 +258,13 @@ final class Filter
switch ($original_format) { switch ($original_format) {
case 'datetime_epoch': case 'datetime_epoch':
$datetime = new \DateTime("@$value"); $datetime = new \DateTime("@$value");
return sprintf("'%s'", $datetime->format("Y-m-d H:i:s")); return sprintf("%s", $datetime->format("Y-m-d H:i:s"));
break; break;
case 'json_int': case 'json_int':
return intval($value); return intval($value);
break; break;
case 'json_string': case 'json_string':
return sprintf("'%s'",$value); return sprintf("%s",$value);
break; break;
default: default:
return $value; return $value;
@ -274,7 +287,7 @@ final class Filter
public function toRawSQL(array $mappings) public function toRawSQL(array $mappings)
{ {
$sql = ''; $sql = '';
$this->bindings = array(); $this->bindings = [];
foreach ($this->filters as $filter) { foreach ($this->filters as $filter) {
if ($filter instanceof FilterElement) { if ($filter instanceof FilterElement) {