mirror of
https://github.com/siyuan-note/siyuan.git
synced 2026-06-28 23:06:24 +00:00
3071ad22d4
The putStat function in kernel/sql/stat.go was building SQL queries via string concatenation instead of using parameterized queries. While currently only called with hardcoded internal values, this is a defense-in-depth improvement that prevents future SQL injection if the function is ever called with user-controlled input. The execStmtTx helper already supports variadic args, so this is a straightforward change to use ? placeholders. Co-authored-by: Test User <test@example.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
66 lines
1.7 KiB
Go
66 lines
1.7 KiB
Go
// SiYuan - Refactor your thinking
|
|
// Copyright (c) 2020-present, b3log.org
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package sql
|
|
|
|
import (
|
|
"database/sql"
|
|
"strings"
|
|
|
|
"github.com/siyuan-note/logging"
|
|
"github.com/siyuan-note/siyuan/kernel/util"
|
|
)
|
|
|
|
type Stat struct {
|
|
Key string `json:"key"`
|
|
Val string `json:"value"`
|
|
}
|
|
|
|
func getDatabaseVer() (ret string) {
|
|
key := "siyuan_database_ver"
|
|
stmt := "SELECT value FROM stat WHERE `key` = ?"
|
|
row := db.QueryRow(stmt, key)
|
|
if err := row.Scan(&ret); err != nil {
|
|
if !strings.Contains(err.Error(), "no such table") {
|
|
logging.LogErrorf("query database version failed: %s", err)
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
func setDatabaseVer() {
|
|
key := "siyuan_database_ver"
|
|
tx, err := beginTx()
|
|
if err != nil {
|
|
return
|
|
}
|
|
if err = putStat(tx, key, util.DatabaseVer); err != nil {
|
|
return
|
|
}
|
|
commitTx(tx)
|
|
}
|
|
|
|
func putStat(tx *sql.Tx, key, value string) (err error) {
|
|
stmt := "DELETE FROM stat WHERE `key` = ?"
|
|
if err = execStmtTx(tx, stmt, key); err != nil {
|
|
return
|
|
}
|
|
|
|
stmt = "INSERT INTO stat VALUES (?, ?)"
|
|
err = execStmtTx(tx, stmt, key, value)
|
|
return
|
|
}
|