Permalink
Browse files

[mysql] did your really name your son robert'); drop table students;--

  • Loading branch information...
moritz committed May 4, 2012
1 parent 251b9bf commit ebda4c27637a3d374437b6b143a1a740c39d95d7
Showing with 14 additions and 3 deletions.
  1. +14 −3 lib/DBDish/mysql.pm6
View
@@ -140,11 +140,11 @@ class DBDish::mysql::StatementHandle does DBDish::StatementHandle {
my $statement = $!statement;
while @params.elems>0 and $statement.index('?')>=0 {
my $param = @params.shift;
- if $param ~~ /<-[0..9]>/ {
- $statement .= subst("?","'$param'"); # quote non numerics
+ if $param ~~ /<-[0..9.]>/ {
+ $statement .= subst("?", self.quote($param.Str)); # quote non numerics
}
else {
- $statement .= subst("?",$param); # do not quote numbers
+ $statement .= subst("?", $param); # do not quote numbers
}
}
# warn "in DBDish::mysql::StatementHandle.execute statement=$statement";
@@ -160,6 +160,17 @@ class DBDish::mysql::StatementHandle does DBDish::StatementHandle {
return ($rows == 0) ?? "0E0" !! $rows;
}
+ method escape(Str $x) {
+ # XXX should really call mysql_real_scape_string
+ $x.trans(
+ [q['], q["], q[\\], chr(0), "\r", "\n"]
+ => [q[\'], q[\"], q[\\\\], '\0', '\r', '\n']
+ );
+ }
+ method quote(Str $x) {
+ q['] ~ self.escape($x) ~ q['];
+ }
+
# do() and execute() return the number of affected rows directly or:
# rows() is called on the statement handle $sth.
method rows() {

0 comments on commit ebda4c2

Please sign in to comment.