Greg Slepak avatar Greg Slepak committed 4194d66

DF.OBJ now supports safe binding of finder parameters

Comments (0)

Files changed (1)

example-site/dragonfly-framework/plugins-inactive/db/database_orm.lsp

 ; The returned object is NOT autoreleased! YOU are responsible for releasing it when you're done with it!
 (define (find-dbobj db table cols finder , data)
 	(when (integer? finder) (setf finder (string DBOBJ_ROWID_COL finder)))
-	(when (setf data (assoc-row-with-db db (format DBOBJ_SELECT_SQL (join cols ",") table finder)))
-		(instantiate DB.OBJ db table data finder)
-	)
+	(when (setf data (dbobj-assoc-row db table cols finder))
+		(instantiate DB.OBJ db table data finder))
 )
 
 
 
 (define (dbobj-refetch obj)
 	(set 'obj:dirty      nil
-	     'obj:revert-set (assoc-row-with-db obj:db (format DBOBJ_SELECT_SQL (join (map first obj:revert-set) ",") obj:table obj:finder))
+	     'obj:revert-set (dbobj-assoc-row obj:db obj:table (map first obj:revert-set) obj:finder)
 	     'obj:change-set obj:revert-set
 	)
 )
 )
 
 ; returns list of saved differences on successful update, 0 if no update was needed, or nil if update failed
-(define (dbobj-save obj , diff db)
-	(setf db obj:db)
+(define (dbobj-save obj , diff)
 	(if (null? (setf diff (difference obj:change-set obj:revert-set)))
 		0
-		(when (db:execute-update (format DBOBJ_UPDATE_SQL obj:table (join (map first diff) "=?,") obj:finder) (map last diff))
+		(when (dbobj-do-update obj:db obj:table diff obj:finder)
 			(set 'obj:revert-set obj:change-set 'obj:dirty nil)
 			diff
 		)
 	)
 )
 
-(define (dbobj-delete obj , db)
-	(setf db obj:db)
-	(when (db:execute-update (format DBOBJ_DELETE_SQL obj:table obj:finder))
+(define (dbobj-delete obj)
+	(when (dbobj-do-delete obj:db obj:table obj:finder)
 		(set 'obj:revert-set '() 'obj:change-set '())
 		true
 	)
 )
 
 ;---------------------------------------------------------------
+; !Finder-Binder, for SQL-injection proof binding in the finder
+;---------------------------------------------------------------
+
+(define (dbobj-finder-binder finder)
+	(join (map (fn(x)(string (x 0) "=?")) finder) ",")
+)
+
+(define (dbobj-assoc-row db table cols finder)
+	(setf cols (join cols ","))
+	(if (list? finder)
+		(assoc-row-with-db db (format DBOBJ_SELECT_SQL cols table (dbobj-finder-binder finder)) (map last finder))
+		(assoc-row-with-db db (format DBOBJ_SELECT_SQL cols table finder))
+	)
+)
+
+(define (dbobj-do-update db table kv finder , cols)
+	(setf cols (join (map first kv) "=?,"))
+	(if (list? finder)
+		(db:execute-update (format DBOBJ_UPDATE_SQL table cols (dbobj-finder-binder finder)) (extend (map last kv) (map last finder)))
+		(db:execute-update (format DBOBJ_UPDATE_SQL table cols finder) (map last kv))
+	)
+)
+
+(define (dbobj-do-delete db table finder)
+	(if (list? finder)
+		(db:execute-update (format DBOBJ_DELETE_SQL table (dbobj-finder-binder finder)) (map last finder))
+		(db:execute-update (format DBOBJ_DELETE_SQL table finder))
+	)
+)
+
+;---------------------------------------------------------------
 ; !The DB.OBJ constructor
 ;---------------------------------------------------------------
 
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.