Nu we een safe.quoted_sql_join hebben kunnen we een aantal plekken explicieter sql-safe werken

svn path=/Website/trunk/; revision=25705
2015-07-23 12:17:38 +00:00
parent d5d6a14f77
commit c5d9a03614
5 changed files with 9 additions and 7 deletions
--- a/APPL/FAC/fac_list.asp
+++ b/APPL/FAC/fac_list.asp
@@ -300,7 +300,7 @@ function sqlTracking(refkey, node)
    else if (modules.length == 0)
      module_filter = " AND 0 = 1";
    else
-      module_filter = " AND xmlnode IN ('" + modules.join("','") + "')";
+      module_filter = " AND xmlnode IN (" + safe.quoted_sql_join(modules) + ")";

    var sqln = "SELECT m.prs_perslid_key prs_perslid_key"   // melding van jou
             + "     , isd.ins_srtdiscipline_prefix || TO_CHAR (m.mld_melding_key) item"
--- a/APPL/Shared/User.inc
+++ b/APPL/Shared/User.inc
@@ -808,7 +808,7 @@ Perslid.prototype.checkAutorisation_readit = function _checkAutorisation_readit(
  if (typeof autfunction == "number")
    where = "f.fac_functie_key = " + autfunction;
  else if (typeof autfunction == "object" && autfunction instanceof Array)
-    where = "f.fac_functie_code IN ('" + autfunction.join("','") + "')";
+    where = "f.fac_functie_code IN (" + safe.quoted_sql_join(autfunction) + ")";
  else
    where = "f.fac_functie_code = " + safe.quoted_sql(autfunction);

--- a/APPL/Shared/discx3d.inc
+++ b/APPL/Shared/discx3d.inc
@@ -88,7 +88,7 @@ function prshasrestrict(pautfunction)
          + " WHERE wg.prs_perslid_key = " + user_key
          + "   AND f.fac_functie_key = wg.fac_functie_key"
          + (typeof pautfunction == "object" && pautfunction instanceof Array
-            ? " AND f.fac_functie_code IN ('" + pautfunction.join("','") + "')"
+            ? " AND f.fac_functie_code IN (" + safe.quoted_sql_join(pautfunction) + ")"
            : " AND f.fac_functie_code = " + safe.quoted_sql(pautfunction))
          + "   AND wg.fac_gebruiker_prs_level_read > -1";

--- a/APPL/Shared/resultset_filter_table.inc
+++ b/APPL/Shared/resultset_filter_table.inc
@@ -370,7 +370,7 @@ function getSQLByKey (pTable, pKeys)

        sql = " SELECT label"
            + " FROM " + sql_fac
-            + " WHERE id IN ('" + lKeys + "')"
+            + " WHERE id IN (" + lKeys + ")"
            + " ORDER BY 1";

      break;
--- a/APPL/Shared/status_info.asp
+++ b/APPL/Shared/status_info.asp
@@ -44,7 +44,9 @@
    var print = getQParam ("print", null);

    var entkey = mld_key != -1 ? mld_key : (opdr_key != -1 ? opdr_key : (rsv_ruimte_key != -1 ? rsv_ruimte_key : (afspr_key != -1 ? afspr_key : (cnt_key != -1 ? cnt_key : (ins_key != -1 ? ins_key : (fin_key != -1 ? fin_key : (bes_key != -1 ? bes_key : (ord_key != -1 ? ord_key : (room_key != -1? room_key : (prs_key != -1 ? prs_key : (kpn_key != -1 ? kpn_key : -1)))))))))));
-    var enttype = mld_key != -1 ? 'melding' : (opdr_key != -1 ? 'opdracht' : (rsv_ruimte_key != -1 ? 'reservering\', \'xreservering' : (afspr_key != -1 ? 'afspraak' : (cnt_key != -1 ? 'contract' : (ins_key != -1 ? 'deel' : (fin_key != -1 ? 'factuur' : (bes_key != -1 ? 'bestelling' : (ord_key != -1 ? 'bestelopdr' : (room_key != -1? 'ruimte' : (prs_key != -1 ? 'perslid' : (kpn_key != -1 ? 'kostenplaats' :'unsupported')))))))))));
+    var enttype = mld_key != -1 ? 'melding' : (opdr_key != -1 ? 'opdracht' : (rsv_ruimte_key != -1 ? ['reservering', 'xreservering'] : (afspr_key != -1 ? 'afspraak' : (cnt_key != -1 ? 'contract' : (ins_key != -1 ? 'deel' : (fin_key != -1 ? 'factuur' : (bes_key != -1 ? 'bestelling' : (ord_key != -1 ? 'bestelopdr' : (room_key != -1? 'ruimte' : (prs_key != -1 ? 'perslid' : (kpn_key != -1 ? 'kostenplaats' :'unsupported')))))))))));
+    if (typeof enttype == 'string')
+        enttype = [enttype];

    if (entkey != -1)
    {
@@ -84,7 +86,7 @@
          + "   AND tr.prs_perslid_key = pf.prs_perslid_key (+)";

     sql = sql11
-         + " AND (tr.fac_tracking_refkey = " + entkey + " AND str.fac_srtnotificatie_xmlnode IN ('" + enttype +"')";
+         + " AND (tr.fac_tracking_refkey = " + entkey + " AND str.fac_srtnotificatie_xmlnode IN (" + safe.quoted_sql_join(enttype) +")";

     if (res_afspr_key > 0)
          // Bewust: *hier* wordt niet getoond of bezoek binnen/buiten is gemeld; dat zie je alleen bij de afspraak
@@ -95,7 +97,7 @@
     sql += " )";

     // In Or-constructie komt er geen antwoord, zo wel.
-     if (enttype == "afspraak")
+     if (enttype[0] == "afspraak")
     {
        sql += " UNION "
            + sql11