public/mailtrain
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #909 from Mailtrain-org/GHSL-2020-132

Browse source 
Use proper escaping for variable column names
This commit is contained in:
Andris Reinman 2020-07-13 10:07:16 +03:00 committed by GitHub
commit dea056848a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/models/campaigns.js
View file

@ -60,10 +60,10 @@ module.exports.statsClickedSubscribersByColumn = (campaign, linkId, request, col
return callback(err);
}
let query_template = 'SELECT %s AS data, COUNT(*) AS cnt FROM `subscription__%d` JOIN `campaign_tracker__%d` ON `campaign_tracker__%d`.`list`=%d AND `campaign_tracker__%d`.`subscriber`=`subscription__%d`.`id` AND `campaign_tracker__%d`.`link`=%d GROUP BY `%s` ORDER BY COUNT(`%s`) DESC, `%s`';
let query_template = 'SELECT ?? AS data, COUNT(*) AS cnt FROM `subscription__%d` JOIN `campaign_tracker__%d` ON `campaign_tracker__%d`.`list`=%d AND `campaign_tracker__%d`.`subscriber`=`subscription__%d`.`id` AND `campaign_tracker__%d`.`link`=%d GROUP BY ?? ORDER BY COUNT(??) DESC, ??';
let query = util.format(query_template, column, campaign.list, campaign.id, campaign.id, campaign.list, campaign.id, campaign.list, campaign.id, linkId, column, column, column);
connection.query(query, (err, rows) => {
connection.query(query, [column, column, column, column], (err, rows) => {
connection.release();
if (err) {
return callback(err);