CreateViewFields creates a new FieldsList from the provided select query. There are some caveats: - The select query must have an "id" column. - Wildcard ("*") columns are not supported to avoid accidentally leaking sensitive data. NB! Be aware that this method is vulnerable to SQL injection and t
(dangerousSelectQuery string)
| 80 | // NB! Be aware that this method is vulnerable to SQL injection and the |
| 81 | // "dangerousSelectQuery" argument must come only from trusted input! |
| 82 | func (app *BaseApp) CreateViewFields(dangerousSelectQuery string) (FieldsList, error) { |
| 83 | result := NewFieldsList() |
| 84 | |
| 85 | suggestedFields, err := parseQueryToFields(app, dangerousSelectQuery) |
| 86 | if err != nil { |
| 87 | return result, err |
| 88 | } |
| 89 | |
| 90 | // note wrap in a transaction in case the dangerousSelectQuery contains |
| 91 | // multiple statements allowing us to rollback on any error |
| 92 | txErr := app.RunInTransaction(func(txApp App) error { |
| 93 | info, err := getQueryTableInfo(txApp, dangerousSelectQuery) |
| 94 | if err != nil { |
| 95 | return err |
| 96 | } |
| 97 | |
| 98 | var hasId bool |
| 99 | |
| 100 | for _, row := range info { |
| 101 | if row.Name == FieldNameId { |
| 102 | hasId = true |
| 103 | } |
| 104 | |
| 105 | var field Field |
| 106 | |
| 107 | if f, ok := suggestedFields[row.Name]; ok { |
| 108 | field = f.field |
| 109 | } else { |
| 110 | field = defaultViewField(row.Name) |
| 111 | } |
| 112 | |
| 113 | result.Add(field) |
| 114 | } |
| 115 | |
| 116 | if !hasId { |
| 117 | return errors.New("missing required id column (you can use `(ROW_NUMBER() OVER()) as id` if you don't have one)") |
| 118 | } |
| 119 | |
| 120 | return nil |
| 121 | }) |
| 122 | |
| 123 | return result, txErr |
| 124 | } |
| 125 | |
| 126 | type DryRunViewResult struct { |
| 127 | Fields FieldsList `json:"fields"` |
no test coverage detected