From 2197ff982e507355dba55883be2195d654bfbb2d Mon Sep 17 00:00:00 2001 From: Kazuhiro Sera Date: Thu, 18 Apr 2013 22:31:04 +0900 Subject: [PATCH] Fixed #116 Possible SQL injection vulnerability --- .../scala/scalikejdbc/interpolation/SQLSyntax.scala | 10 +++++++++- .../test/scala/scalikejdbc/SQLInterpolationSpec.scala | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/scalikejdbc-interpolation-core/src/main/scala/scalikejdbc/interpolation/SQLSyntax.scala b/scalikejdbc-interpolation-core/src/main/scala/scalikejdbc/interpolation/SQLSyntax.scala index ecdc1c94d..76dd63673 100644 --- a/scalikejdbc-interpolation-core/src/main/scala/scalikejdbc/interpolation/SQLSyntax.scala +++ b/scalikejdbc-interpolation-core/src/main/scala/scalikejdbc/interpolation/SQLSyntax.scala @@ -5,5 +5,13 @@ package scalikejdbc.interpolation * * This value won't be treated as a binding parameter but will be appended as a part of SQL. */ -case class SQLSyntax(value: String, parameters: Seq[Any] = Vector()) +class SQLSyntax private[scalikejdbc] (val value: String, val parameters: Seq[Any] = Vector()) + +object SQLSyntax { + + private[scalikejdbc] def apply(value: String, parameters: Seq[Any]) = new SQLSyntax(value, parameters) + + def unapply(syntax: SQLSyntax): Option[(String, Seq[Any])] = Some((syntax.value, syntax.parameters)) + +} diff --git a/scalikejdbc-interpolation-core/src/test/scala/scalikejdbc/SQLInterpolationSpec.scala b/scalikejdbc-interpolation-core/src/test/scala/scalikejdbc/SQLInterpolationSpec.scala index e9599427c..8f0edbd7e 100644 --- a/scalikejdbc-interpolation-core/src/test/scala/scalikejdbc/SQLInterpolationSpec.scala +++ b/scalikejdbc-interpolation-core/src/test/scala/scalikejdbc/SQLInterpolationSpec.scala @@ -103,7 +103,7 @@ class SQLInterpolationSpec extends FlatSpec with ShouldMatchers { } val ids = List(1, 2, 4) ::: (100 until 200).toList - val sorting = SQLSyntax("DESC") + val sorting = sqls"desc" val users = sql"select * from users where id in (${ids}) order by id ${sorting}".map { rs => User(id = rs.int("id"), name = rs.stringOpt("name")) }.list.apply()