Ticket #1387: sql-inject-breakpoints.diff

File sql-inject-breakpoints.diff, 1.5 KB (added by tome, 3 years ago)

Diff to use parameter markers in Breakpoints.pm

  • Padre/Breakpoints.pm

     
    2222    my %bp_action; 
    2323    $bp_action{line} = $bp_line; 
    2424 
    25     if ( $#{ $debug_breakpoints->select("WHERE filename = \"$current_file\" AND line_number = \"$bp_line\"") } >= 0 ) { 
    26  
     25    if ( $#{ $debug_breakpoints->select("WHERE filename = ? AND line_number = ?", $current_file, $bp_line ) } >= 0 ) { 
    2726        # say 'delete me'; 
    2827        $editor->MarkerDelete( $bp_line - 1, Padre::Constant::MARKER_BREAKPOINT() ); 
    2928        $editor->MarkerDelete( $bp_line - 1, Padre::Constant::MARKER_NOT_BREAKABLE() ); 
    30         $debug_breakpoints->delete("WHERE filename = \"$current_file\" AND line_number = \"$bp_line\""); 
     29        $debug_breakpoints->delete("WHERE filename = ? AND line_number = ?", $current_file, $bp_line); 
    3130        $bp_action{action} = 'delete'; 
    3231    } else { 
    33  
    3432        # say 'create me'; 
    3533        $editor->MarkerAdd( $bp_line - 1, Padre::Constant::MARKER_BREAKPOINT() ); 
    3634        $debug_breakpoints->create( 
     
    5553    my $editor            = Padre::Current->editor; 
    5654    my $debug_breakpoints = ('Padre::DB::DebugBreakpoints'); 
    5755    my $current_file      = $editor->{Document}->filename; 
    58     my $sql_select        = "WHERE BY filename = \"$current_file\" ASC, line_number ASC"; 
    59     my @tuples            = $debug_breakpoints->select($sql_select); 
     56    my $sql_select        = "WHERE BY filename = ? ASC, line_number ASC"; 
     57    my @tuples            = $debug_breakpoints->select($sql_select, $current_file); 
    6058 
    6159    for ( 0 .. $#tuples ) { 
    6260