$offset = 0 unless $offset;
$limit = 999999 unless $limit;
$debug and print STDERR "execute_query($sql, $offset, $limit)\n";
- if ($sql =~ /;?\W?(UPDATE|DELETE|DROP|INSERT|SHOW|CREATE)\W/i) {
- return (undef, { sqlerr => $1} );
- } elsif ($sql !~ /^\s*SELECT\b\s*/i) {
- return (undef, { queryerr => 'Missing SELECT'} );
- }
+
+ my $errors = Koha::Reports->validate_sql($sql);
+ return (undef, @{$errors}[0]) if (scalar(@$errors));
foreach my $sql_param ( @$sql_params ){
if ( $sql_param =~ m/\n/ ){
=cut
+=head3 validate_sql
+
+Validate SQL query string so it only contains a select,
+not any of the harmful queries.
+
+=cut
+
+sub validate_sql {
+ my ($self, $sql) = @_;
+
+ $sql //= '';
+ my @errors = ();
+
+ if ($sql =~ /;?\W?(UPDATE|DELETE|DROP|INSERT|SHOW|CREATE)\W/i) {
+ push @errors, { sqlerr => $1 };
+ } elsif ($sql !~ /^\s*SELECT\b\s*/i) {
+ push @errors, { queryerr => 'Missing SELECT' };
+ }
+
+ return \@errors;
+}
+
=head3 _type
Returns name of corresponding DBIC resultset
create_non_existing_group_and_subgroup($input, $group, $subgroup);
- if ($sql =~ /;?\W?(UPDATE|DELETE|DROP|INSERT|SHOW|CREATE)\W/i) {
- push @errors, {sqlerr => $1};
- }
- elsif ($sql !~ /^(SELECT)/i) {
- push @errors, {queryerr => "No SELECT"};
- }
+ push(@errors, @{Koha::Reports->validate_sql($sql)});
if (@errors) {
$template->param(
create_non_existing_group_and_subgroup($input, $group, $subgroup);
## FIXME this is AFTER entering a name to save the report under
- if ($sql =~ /;?\W?(UPDATE|DELETE|DROP|INSERT|SHOW|CREATE)\W/i) {
- push @errors, {sqlerr => $1};
- }
- elsif ($sql !~ /^(SELECT)/i) {
- push @errors, {queryerr => "No SELECT"};
- }
+ push(@errors, @{Koha::Reports->validate_sql($sql)});
if (@errors) {
$template->param(
use Modern::Perl;
-use Test::More tests => 5;
+use Test::More tests => 6;
use Koha::Report;
use Koha::Reports;
};
$schema->storage->txn_rollback;
+
+subtest 'validate_sql' => sub {
+ plan tests => 3 + 6*2;
+ my @badwords = ('UPDATE', 'DELETE', 'DROP', 'INSERT', 'SHOW', 'CREATE');
+ is_deeply( Koha::Reports->validate_sql(), [{ queryerr => 'Missing SELECT'}], 'Empty sql is missing SELECT' );
+ is_deeply( Koha::Reports->validate_sql('FOO'), [{ queryerr => 'Missing SELECT'}], 'Nonsense sql is missing SELECT' );
+ is_deeply( Koha::Reports->validate_sql('select FOO'), [], 'select FOO is good' );
+ foreach my $word (@badwords) {
+ is_deeply( Koha::Reports->validate_sql('select FOO;'.$word.' BAR'), [{ sqlerr => $word}], 'select FOO with '.$word.' BAR' );
+ is_deeply( Koha::Reports->validate_sql($word.' qux'), [{ sqlerr => $word}], $word.' qux' );
+ }
+}