savoirfairelinux-openerp team mailing list archive
-
savoirfairelinux-openerp team
-
Mailing list archive
-
Message #01344
Re: [Merge] lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp:knowledge-addons/7.0
Review: Needs Fixing
For better usability and security, your sanitize function should wrap the query function, the same way OE does, so that there is no way to call the query the wrong way.
Something along the lines of
safe_query(" SELECT cmis:name, cmis:createdBy, cmis:objectId, "
"cmis:contentStreamLength FROM cmis:document "
"WHERE cmis:name LIKE '%%%s%%'", filename)
def safe_query(query, *args):
args = map(sanitize_input, args)
return repo.query(query % args)
Make sure to make the these functions general purpose, not specific to this particular instance as it seems now (function name sanitize_input_filename_field sounds specific to filename, when it can be used on any query).
Finally, _make sure to put these functions in your topmost dependency (cmis) so any depending module can use it reliably.
--
https://code.launchpad.net/~savoirfairelinux-openerp/knowledge-addons/cmis_read/+merge/212260
Your team Savoir-faire Linux' OpenERP is subscribed to branch lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read.
References