From 38edd4fcb79133c3c7ed0a66ca8b78a777f4f8b2 Mon Sep 17 00:00:00 2001
From: Johannes Hoermann <j.hoermann@adito.de>
Date: Mon, 4 Nov 2019 13:16:46 +0100
Subject: [PATCH] use Prepared Statement in Data_alias.CONTRACT.query

---
 .../indexsearchgroups/contract/query.js       | 36 +++++++++----------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/aliasDefinition/Data_alias/indexsearchgroups/contract/query.js b/aliasDefinition/Data_alias/indexsearchgroups/contract/query.js
index c80b55a38be..9b6641b991c 100644
--- a/aliasDefinition/Data_alias/indexsearchgroups/contract/query.js
+++ b/aliasDefinition/Data_alias/indexsearchgroups/contract/query.js
@@ -1,28 +1,28 @@
-import("system.translate");
 import("system.result");
-import("system.vars");
-import("system.calendars");
 import("system.db");
+import("system.vars");
+import("system.translate");
 import("Keyword_lib");
 import("Sql_lib");
 import("KeywordRegistry_basic");
 
-var sqlQuery, sqlHelper, queryCondition, affectedIds;
-queryCondition = "";
+var sqlHelper = new SqlMaskingUtils();
+var affectedIds;
+
+var sqlQuery = newSelect("CONTRACTID, " 
+                    + sqlHelper.concat(["CONTRACTCODE", KeywordUtils.getResolvedTitleSqlPart($KeywordRegistry.contractStatus(), "CONTRACTSTATUS")], " | ")
+                    + " as TITLECOLUMN, " 
+                    + sqlHelper.concat(["ORGANISATION.NAME", "'| " + translate.text("Type of contract") + ":'", 
+                            KeywordUtils.getResolvedTitleSqlPart($KeywordRegistry.contractType(), "CONTRACTTYPE")]) 
+                    + " as DESCCOLUMN, CONTRACTCODE, ORGANISATION.NAME, CUSTOMERCODE " )
+                .from("CONTRACT")
+                .join("CONTACT", "CONTRACT.CONTACT_ID = CONTACTID")
+                .join("ORGANISATION", "ORGANISATIONID = CONTACT.ORGANISATION_ID")
+                .orderBy("CONTRACTCODE")
+
 if (vars.exists("$local.idvalue")) {
     affectedIds = vars.get("$local.idvalue");
-    queryCondition = "where CONTRACTID in ('" + affectedIds.map(function (v){return db.quote(v);}).join("', '") + "')";
-    //TODO: refactor this for incremental indexer (injections?)
+    sqlQuery.where("CONTRACT.CONTRACTID", affectedIds, SqlBuilder.IN())
 }
-sqlHelper = new SqlMaskingUtils();
-sqlQuery = "select CONTRACTID, " 
-    + sqlHelper.concat(["CONTRACTCODE", KeywordUtils.getResolvedTitleSqlPart($KeywordRegistry.contractStatus(), "CONTRACTSTATUS")], " | ")
-    + " as TITLECOLUMN, " 
-    + sqlHelper.concat(["ORGANISATION.NAME", "'| " + translate.text("Type of contract") + ":'", 
-            KeywordUtils.getResolvedTitleSqlPart($KeywordRegistry.contractType(), "CONTRACTTYPE")]) 
-    + " as DESCCOLUMN, CONTRACTCODE, ORGANISATION.NAME, CUSTOMERCODE " 
-    + " from CONTRACT "
-    + " join CONTACT on CONTRACT.CONTACT_ID = CONTACTID "
-    + " join ORGANISATION on ORGANISATIONID = CONTACT.ORGANISATION_ID "
-    + queryCondition + " order by CONTRACTCODE ";
+
 result.string(sqlQuery);
\ No newline at end of file
-- 
GitLab