zias/stats
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

🙊 escape sql strings

Browse Source
This commit is contained in:
Carl-Gerhard Lindesvärd
2024-03-28 15:57:13 +01:00
parent 40b98f36a4
commit ecf68463c9
16 changed files with 104 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
packages/db/src/services/event.service.ts
View File

@@ -1,4 +1,5 @@
import { omit, uniq } from 'ramda';
import { escape } from 'sqlstring';
import { v4 as uuid } from 'uuid';
import { randomSplitName, toDots } from '@openpanel/common';
@@ -261,15 +262,15 @@ export async function getEventList({
sb.limit = take;
sb.offset = Math.max(0, (cursor ?? 0) * take);
sb.where.projectId = `project_id = '${projectId}'`;
sb.where.projectId = `project_id = ${escape(projectId)}`;
if (profileId) {
sb.where.deviceId = `device_id IN (SELECT device_id as did FROM openpanel.events WHERE profile_id = '${profileId}' group by did)`;
sb.where.deviceId = `device_id IN (SELECT device_id as did FROM openpanel.events WHERE profile_id = ${escape(profileId)} group by did)`;
}
if (events && events.length > 0) {
sb.where.events = `name IN (${join(
events.map((n) => `'${n}'`),
events.map((event) => escape(event)),
','
)})`;
}
@@ -297,14 +298,14 @@ export async function getEventsCount({
filters,
}: Omit<GetEventListOptions, 'cursor' | 'take'>) {
const { sb, getSql, join } = createSqlBuilder();
sb.where.projectId = `project_id = '${projectId}'`;
sb.where.projectId = `project_id = ${escape(projectId)}`;
if (profileId) {
sb.where.profileId = `profile_id = '${profileId}'`;
sb.where.profileId = `profile_id = ${escape(profileId)}`;
}
if (events && events.length > 0) {
sb.where.events = `name IN (${join(
events.map((n) => `'${n}'`),
events.map((event) => escape(event)),
','
)})`;
}