[PATCH] TicketQuery Limit Query Results

[Karmadude <karmadude@…>]

Added functionality to limit number of records in query via the query string

Example

[[TicketQuery(version=1.0|2.0&resolution=duplicate&limit=5)]]

[karmadude@…]

TracQuery Limit Patch

[Christian Boos]

Nice little patch ;-) However, the self.limit should be appended to the args list, in order to protect against SQL injections issues.

[karmadude@…]

I have added an updated patch, I changed the code to match closely to how order argument is handled. Also I had to update the query call in process_request function to use the limit arg.

cobos, I am not very familiar with the Trac code, this was my first stab at a solution, and I just followed how the order arg was being handled. As for SQL injections, we have a internal deployment of Trac, and so I did not give that much thought. If you have some suggestions as to how to improve the code, I can take a stab at improving the patch.

[Christian Boos]

Usually what we do is simply to dissociate the SQL statement from the arguments:

if self.limit:
    sql.append("\nLIMIT %s")
    args.append(self.limit)

and later call cursor.execute(sql, args), which takes care of using the args as arguments; otherwise you could pass arbitrary SQL in the limit query parameter.

[karmadude@…]

cboos, thanks for explaining that to me, it all makes sense now. I have updated the patch.

[Christian Boos]

Implemented in [5149:5150]. Thanks for the patch!