escape special SQL chars in where clauses (patch 1204728)
git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@42676 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
This commit is contained in:
parent
735a74df5c
commit
9eb11d19b1
@ -707,6 +707,25 @@ Drops the data table view named in 'viewName'.
|
|||||||
|
|
||||||
If the view does not exist, this function will return true. Note that views are not supported with all datasources.
|
If the view does not exist, this function will return true. Note that views are not supported with all datasources.
|
||||||
|
|
||||||
|
\membersection{wxDb::EscapeSqlChars}\label{wxdbescapesqlchars}
|
||||||
|
|
||||||
|
\func{wxString}{EscapeSqlChars}{\param{const wxString\& }{value}}
|
||||||
|
|
||||||
|
This function is used internally by wxWidgets while building SQL statements.
|
||||||
|
It has been provided to help users who wish to explicity construct SQL
|
||||||
|
statements to be sent to the server. The function takes the value passed and
|
||||||
|
returns it with any special characters escaped. Which characters are
|
||||||
|
considered special depends on what type of datasource the object is connected
|
||||||
|
to. For example, most database servers use a backslash as the escape
|
||||||
|
character; if the value passed contains a backlash it will be replaced with a
|
||||||
|
double backslash before it is passed to the server. This function can be used
|
||||||
|
to avoid passing statements with syntax errors to the server as well as prevent
|
||||||
|
SQL injection attacks.
|
||||||
|
|
||||||
|
\wxheading{Parameters}
|
||||||
|
|
||||||
|
\docparam{value}{The value to be escaped.}
|
||||||
|
|
||||||
\membersection{wxDb::ExecSql}\label{wxdbexecsql}
|
\membersection{wxDb::ExecSql}\label{wxdbexecsql}
|
||||||
|
|
||||||
\func{bool}{ExecSql}{\param{const wxString \&}{pSqlStmt}}
|
\func{bool}{ExecSql}{\param{const wxString \&}{pSqlStmt}}
|
||||||
|
@ -734,6 +734,9 @@ public:
|
|||||||
|
|
||||||
bool FwdOnlyCursors(void) {return fwdOnlyCursors;}
|
bool FwdOnlyCursors(void) {return fwdOnlyCursors;}
|
||||||
|
|
||||||
|
// return the string with all special SQL characters escaped
|
||||||
|
wxString EscapeSqlChars(const wxString& value);
|
||||||
|
|
||||||
// These two functions are provided strictly for use by wxDbTable.
|
// These two functions are provided strictly for use by wxDbTable.
|
||||||
// DO NOT USE THESE FUNCTIONS, OR MEMORY LEAKS MAY OCCUR
|
// DO NOT USE THESE FUNCTIONS, OR MEMORY LEAKS MAY OCCUR
|
||||||
void incrementTableCount() { nTables++; return; }
|
void incrementTableCount() { nTables++; return; }
|
||||||
|
@ -4086,6 +4086,28 @@ bool wxDb::ModifyColumn(const wxString &tableName, const wxString &columnName,
|
|||||||
|
|
||||||
} // wxDb::ModifyColumn()
|
} // wxDb::ModifyColumn()
|
||||||
|
|
||||||
|
/********** wxDb::EscapeSqlChars() **********/
|
||||||
|
wxString wxDb::EscapeSqlChars(const wxString& valueOrig)
|
||||||
|
{
|
||||||
|
wxString value(valueOrig);
|
||||||
|
switch (Dbms())
|
||||||
|
{
|
||||||
|
case dbmsACCESS:
|
||||||
|
// Access doesn't seem to care about backslashes, so only escape single quotes.
|
||||||
|
value.Replace(wxT("'"), wxT("''"));
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
// All the others are supposed to be the same for now, add special
|
||||||
|
// handling for them if necessary
|
||||||
|
value.Replace(wxT("\\"), wxT("\\\\"));
|
||||||
|
value.Replace(wxT("'"), wxT("\\'"));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return value;
|
||||||
|
} // wxDb::EscapeSqlChars()
|
||||||
|
|
||||||
|
|
||||||
/********** wxDbGetConnection() **********/
|
/********** wxDbGetConnection() **********/
|
||||||
wxDb WXDLLIMPEXP_ODBC *wxDbGetConnection(wxDbConnectInf *pDbConfig, bool FwdOnlyCursors)
|
wxDb WXDLLIMPEXP_ODBC *wxDbGetConnection(wxDbConnectInf *pDbConfig, bool FwdOnlyCursors)
|
||||||
|
@ -1308,7 +1308,7 @@ void wxDbTable::BuildWhereClause(wxString &pWhereClause, int typeOfWhere,
|
|||||||
case SQL_C_WCHAR:
|
case SQL_C_WCHAR:
|
||||||
#endif
|
#endif
|
||||||
//case SQL_C_WXCHAR: SQL_C_WXCHAR is covered by either SQL_C_CHAR or SQL_C_WCHAR
|
//case SQL_C_WXCHAR: SQL_C_WXCHAR is covered by either SQL_C_CHAR or SQL_C_WCHAR
|
||||||
colValue.Printf(wxT("'%s'"), (UCHAR FAR *) colDefs[colNumber].PtrDataObj);
|
colValue.Printf(wxT("'%s'"), GetDb()->EscapeSqlChars((UCHAR FAR *)colDefs[colNumber].PtrDataObj).c_str());
|
||||||
break;
|
break;
|
||||||
case SQL_C_SHORT:
|
case SQL_C_SHORT:
|
||||||
case SQL_C_SSHORT:
|
case SQL_C_SSHORT:
|
||||||
|
Loading…
Reference in New Issue
Block a user