Woah. When did svn_sqlite__prepare arrive? I'm basically -1 on that.
The whole idea behind static statements was to avoid SQL injection attacks. Allowing the *code* to construct statements opens us up. This is Not Good. On Apr 11, 2011 8:31 PM, <hwri...@apache.org> wrote: > Author: hwright > Date: Tue Apr 12 00:31:00 2011 > New Revision: 1091262 > > URL: http://svn.apache.org/viewvc?rev=1091262&view=rev > Log: > * subversion/libsvn_wc/wc_db.c > (set_changelist_txn): Special case the with-changelist case, to avoid some > confusion by interleaving if-statements. > > Modified: > subversion/trunk/subversion/libsvn_wc/wc_db.c > > Modified: subversion/trunk/subversion/libsvn_wc/wc_db.c > URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_wc/wc_db.c?rev=1091262&r1=1091261&r2=1091262&view=diff > ============================================================================== > --- subversion/trunk/subversion/libsvn_wc/wc_db.c (original) > +++ subversion/trunk/subversion/libsvn_wc/wc_db.c Tue Apr 12 00:31:00 2011 > @@ -3460,37 +3460,34 @@ set_changelist_txn(void *baton, > svn_relpath_dirname(local_relpath, > scratch_pool))); > } > - else > + else if (scb->changelists && scb->changelists->nelts) > { > - const char *stmt_text = statements[STMT_UPDATE_ACTUAL_CHANGELIST]; > - const char *filter = construct_filter("changelist", > - scb->changelists, > - scratch_pool); > - > - if (*filter) > - stmt_text = apr_pstrcat(scratch_pool, stmt_text, " AND ", filter, > - NULL); > + int i; > + const char *stmt_text = apr_pstrcat(scratch_pool, > + statements[STMT_UPDATE_ACTUAL_CHANGELIST], > + " AND ", > + construct_filter("changelist", > + scb->changelists, > + scratch_pool), > + NULL); > > SVN_ERR(svn_sqlite__prepare(&stmt, wcroot->sdb, stmt_text, > scratch_pool)); > > - /* If we have a filter, it means we need to bind the changelist > - params. */ > - if (*filter) > + for (i = 0; i < scb->changelists->nelts; i++) > { > - int i; > + const char *cl = APR_ARRAY_IDX(scb->changelists, i, const char *); > > - for (i = 0; i < scb->changelists->nelts; i++) > - { > - const char *cl = APR_ARRAY_IDX(scb->changelists, i, > - const char *); > - > - /* The magic number '4' here is the number of existing params, > - plus 1, in the statement, which will be bound below. */ > - SVN_ERR(svn_sqlite__bind_text(stmt, i+4, cl)); > - } > + /* The magic number '4' here is the number of existing params, > + plus 1, in the statement, which will be bound below. */ > + SVN_ERR(svn_sqlite__bind_text(stmt, i+4, cl)); > } > } > + else > + { > + SVN_ERR(svn_sqlite__get_statement(&stmt, wcroot->sdb, > + STMT_UPDATE_ACTUAL_CHANGELIST)); > + } > > /* Run the update or insert query */ > SVN_ERR(svn_sqlite__bindf(stmt, "iss", wcroot->wc_id, local_relpath, > >
