Poor man's solution to avoid SQL injection.

git-svn-id: https://svn.osgeo.org/grass/grass/trunk@51866 15284696-431f-4ddb-bdfa-cd5b030d7da7

lib/python/temporal/abstract_space_time_dataset.py

@@ -699,9 +699,9 @@ class abstract_space_time_dataset(abstract_dataset):
                 sql = "SELECT * FROM %s  WHERE %s.id IN (SELECT id FROM %s)" % (map_view, map_view, self.get_map_register())
 
             if where:
-                sql += " AND %s" % (where)
+                sql += " AND (%s)" % (where.split(";")[0])
             if order:
-                sql += " ORDER BY %s" % (order)
+                sql += " ORDER BY %s" % (order.split(";")[0])
                 
             try:
                 dbif.cursor.execute(sql)

lib/python/temporal/extract.py

@@ -40,6 +40,11 @@ def extract_dataset(input, output, type, where, expression, base, nprocs=1, regi
        @param layer The vector layer number to be used when no timestamped layer is present, default is 1
        @param vtype The feature type to be extracted for vector maps, default is point,line,boundary,centroid,area and face
     """
+
+    # Check the parameters
+
+    if expression and not base:
+        core.fatal(_("You need to specify the base name of new created maps"))
     
     mapset =  core.gisenv()["MAPSET"]