Changeset 3604
- Timestamp:
- 05/05/08 14:07:42 (7 months ago)
- Files:
-
- usermanagerplugin/0.11/tracusermanager/api.py (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
usermanagerplugin/0.11/tracusermanager/api.py
r3245 r3604 436 436 cursor.execute("SELECT sid FROM session_attribute WHERE name='enabled'") 437 437 else: 438 """@note: [TO DO] Redo this query in order to avoid SQL Injection! 439 The following line executes a query that should look like this: 440 441 (for dict(name='John%', email='%@exemple.com')): 438 """ The following line executes a query that should look like this: 439 440 #for attributes_dict = dict(name='John%', email='%@exemple.com')): 442 441 SELECT sid, 443 442 count(sid) cnt … … 446 445 OR name='email' AND value like '%@exemple.com' 447 446 GROUP BY sid 448 HAVING cnt=2 447 HAVING cnt=2 449 448 """ 449 450 # dict to list attr_dict = { k1:v1, k2:v2, ... } -> [k1,v1,k2,v2..., len(attr_dict)] 451 attributes_list=[] 452 for k, v in attributes_dict.items(): 453 attributes_list.append(k.startswith('NOT_') and k[4:] or k) 454 attributes_list.append(v) 455 456 attributes_list.append(len(attributes_dict)) 457 450 458 def _get_condition(k,v): 451 is_not = k.startswith('NOT_') 452 return "name='%s' AND value %sLIKE '%s'"%(is_not and k[4:] or k, is_not and 'NOT ' or '', v) 453 cursor.execute("SELECT sid, count(sid) cnt FROM session_attribute WHERE %s GROUP BY sid HAVING cnt=%s"% 454 (" OR ".join([ _get_condition(k,v) for k,v in attributes_dict.items()]), len(attributes_dict.items()))) 459 return "name=%s AND value " + (k.startswith('NOT_') and 'NOT' or '') + " LIKE %s" 460 461 cursor.execute("SELECT sid, count(sid) cnt" 462 " FROM session_attribute" 463 " WHERE " + " OR ".join([ _get_condition(k,v) for k,v in attributes_dict.items()]) + 464 " GROUP BY sid" 465 " HAVING cnt=%s", attributes_list) 455 466 456 467 return [id for id, cnd in cursor]
