Fossil SCM
/json/query now fails without executing the query if the provided query has no result _columns_ (to explicitly disallow INSERT/DELETE/DROP, etc.).
Commit
3e1dd97f77481a92408e5ef0f27337ea5167793e
Parent
e40e79b7ab7b9f0…
1 file changed
+7
+7
| --- src/json_query.c | ||
| +++ src/json_query.c | ||
| @@ -65,10 +65,17 @@ | ||
| 65 | 65 | } |
| 66 | 66 | |
| 67 | 67 | zFmt = json_find_option_cstr2("format",NULL,"f",3); |
| 68 | 68 | if(!zFmt) zFmt = "o"; |
| 69 | 69 | db_prepare(&q,"%s", zSql); |
| 70 | + if( 0 == sqlite3_column_count( q.pStmt ) ){ | |
| 71 | + json_set_err(FSL_JSON_E_USAGE, | |
| 72 | + "Input query has no result columns. " | |
| 73 | + "Only SELECT-like queries are supported."); | |
| 74 | + db_finalize(&q); | |
| 75 | + return NULL; | |
| 76 | + } | |
| 70 | 77 | switch(*zFmt){ |
| 71 | 78 | case 'a': |
| 72 | 79 | check = cson_sqlite3_stmt_to_json(q.pStmt, &payV, 0); |
| 73 | 80 | break; |
| 74 | 81 | case 'o': |
| 75 | 82 |
| --- src/json_query.c | |
| +++ src/json_query.c | |
| @@ -65,10 +65,17 @@ | |
| 65 | } |
| 66 | |
| 67 | zFmt = json_find_option_cstr2("format",NULL,"f",3); |
| 68 | if(!zFmt) zFmt = "o"; |
| 69 | db_prepare(&q,"%s", zSql); |
| 70 | switch(*zFmt){ |
| 71 | case 'a': |
| 72 | check = cson_sqlite3_stmt_to_json(q.pStmt, &payV, 0); |
| 73 | break; |
| 74 | case 'o': |
| 75 |
| --- src/json_query.c | |
| +++ src/json_query.c | |
| @@ -65,10 +65,17 @@ | |
| 65 | } |
| 66 | |
| 67 | zFmt = json_find_option_cstr2("format",NULL,"f",3); |
| 68 | if(!zFmt) zFmt = "o"; |
| 69 | db_prepare(&q,"%s", zSql); |
| 70 | if( 0 == sqlite3_column_count( q.pStmt ) ){ |
| 71 | json_set_err(FSL_JSON_E_USAGE, |
| 72 | "Input query has no result columns. " |
| 73 | "Only SELECT-like queries are supported."); |
| 74 | db_finalize(&q); |
| 75 | return NULL; |
| 76 | } |
| 77 | switch(*zFmt){ |
| 78 | case 'a': |
| 79 | check = cson_sqlite3_stmt_to_json(q.pStmt, &payV, 0); |
| 80 | break; |
| 81 | case 'o': |
| 82 |