Fixed parameter escaping in SQL shell

jbroadway · Aug 14, 2014 · ddbd72b · ddbd72b
1 parent db35a2c
commit ddbd72b
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 6 deletions.
diff --git a/js/dbman.js b/js/dbman.js
@@ -5,7 +5,7 @@ var dbman = (function ($) {
 	 * Escape a value for output.
 	 */
 	self.esc = function (html) {
-		return html
+		return String(html)
 			.replace (/&/g, '&amp;')
 			.replace (/</g, '&lt;')
 			.replace (/>/g, '&gt;')
@@ -50,8 +50,12 @@ var dbman = (function ($) {
 	/**
 	 * Makes an AJAX call for the results of an SQL query.
 	 */
-	self.query = function (f) {
-		var params = {query: $('#query').val ()};
+	self.query = function (query) {
+		var params = {query: query};
+		console.log (params);
+		if (! query) {
+			return;
+		}
 
 		$('#results').html ($.i18n ('Please wait...'));
 

diff --git a/views/shell.html b/views/shell.html
@@ -2,9 +2,9 @@
 
 <p><a href="/dbman/index">&laquo; {"Back"}</a></p>
 
-<form method="post" onsubmit="return dbman.query (this)">
+<form method="post" id="shell">
 <p><textarea name="query" id="query" cols="70" rows="8">{{ query }}</textarea><br />
-<input type="submit" value="{"Execute"}" /></p>
+<input type="submit" id="submit" value="{"Execute"}" /></p>
 </form>
 
 <div id="results"></div>
@@ -14,4 +14,16 @@
 	width: 600px;
 	height: 150px;
 }
-</style>
+#submit {
+	outline: none;
+}
+</style>
+
+<script>
+$(function () {
+	$('#shell').submit (function (e) {
+		e.preventDefault ();
+		dbman.query ($('#query').val ());
+	});
+});
+</script>