Skip to content

Commit

Permalink
fix: changed query to accept user input in prepared sql statement (#2652
Browse files Browse the repository at this point in the history 
)

* Changed query to accept user input in prepared sql statement

* Changed query to accept user input in parameterized query

* Changed query to accept user input in parameterized query

* Changed query to accept user input in parameterized query

* Changed query to accept user input in parameterized query
  • Loading branch information
@deepakrai9185720
deepakrai9185720 authored Nov 4, 2022
1 parent 4741989 commit 2f956b7
Showing 1 changed file with 8 additions and 11 deletions.
19 changes: 8 additions & 11 deletions warehouse/warehouse.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1794,6 +1794,7 @@ func pendingEventsHandler(w http.ResponseWriter, r *http.Request) {
}

func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCount int64, err error) {
sourceOrDestId = pq.QuoteIdentifier(sourceOrDestId)
sourceOrDestColumn := ""
if isSourceId {
sourceOrDestColumn = "source_id"
Expand All @@ -1807,16 +1808,14 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou
FROM
%[1]s
WHERE
%[1]s.%[3]s = '%[2]s';
%[2]s = $1;
`,
warehouseutils.WarehouseUploadsTable,
sourceOrDestId,
sourceOrDestColumn,
)

err = dbHandle.QueryRow(sqlStatement).Scan(&lastStagingFileIDRes)
err = dbHandle.QueryRow(sqlStatement, sourceOrDestId).Scan(&lastStagingFileIDRes)
if err != nil && err != sql.ErrNoRows {
err = fmt.Errorf("query: %s failed with Error : %w", sqlStatement, err)
err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err)
return
}
lastStagingFileID := int64(0)
Expand All @@ -1830,18 +1829,16 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou
FROM
%[1]s
WHERE
%[1]s.id > %[2]v
AND %[1]s.%[4]s = '%[3]s';
id > %[2]v
AND %[3]s = $1;
`,
warehouseutils.WarehouseStagingFilesTable,
lastStagingFileID,
sourceOrDestId,
sourceOrDestColumn,
)

err = dbHandle.QueryRow(sqlStatement).Scan(&fileCount)
err = dbHandle.QueryRow(sqlStatement, sourceOrDestId).Scan(&fileCount)
if err != nil && err != sql.ErrNoRows {
err = fmt.Errorf("query: %s failed with Error : %w", sqlStatement, err)
err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err)
return
}

Expand Down

0 comments on commit 2f956b7

Please sign in to comment.