To prevent SQL injection, allow MiddleKit queries to be made with parms passed separately

[jasonhildebrand]

Recently we audited an internal Webware app for security. We found that there is no mechanism in MiddleKit to pass user-submitted args separately. Due to this, our approach had been to use string concatenation to build queries - however, this is vulnerable to SQL injection attacks.

We implemented this improvement which supports passing separate arguments to Store.fetchObjectsOfClass(), so that it is possible to build queries safely.

We have tested under MySQL.

[Cito]

Right, it's always better to use bound parameters that are passed separately. Your solution looks good to me, as it should be backward compatible. Maybe we should not pass the commit flag explicitly though, but rely on the default value?

[jasonhildebrand]

Thanks for the feedback. Yes, I agree about the commit flag. We'll update the branch not the pass the commit flag explicitly.

[jasonhildebrand]

OK, should be good to go now.