escape special SQL chars in where clauses (patch 1204728)

git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@42676 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
This commit is contained in:
Vadim Zeitlin 2006-10-29 21:49:37 +00:00
parent 735a74df5c
commit 9eb11d19b1
4 changed files with 45 additions and 1 deletions

View File

@ -707,6 +707,25 @@ Drops the data table view named in 'viewName'.
If the view does not exist, this function will return true. Note that views are not supported with all datasources. If the view does not exist, this function will return true. Note that views are not supported with all datasources.
\membersection{wxDb::EscapeSqlChars}\label{wxdbescapesqlchars}
\func{wxString}{EscapeSqlChars}{\param{const wxString\& }{value}}
This function is used internally by wxWidgets while building SQL statements.
It has been provided to help users who wish to explicity construct SQL
statements to be sent to the server. The function takes the value passed and
returns it with any special characters escaped. Which characters are
considered special depends on what type of datasource the object is connected
to. For example, most database servers use a backslash as the escape
character; if the value passed contains a backlash it will be replaced with a
double backslash before it is passed to the server. This function can be used
to avoid passing statements with syntax errors to the server as well as prevent
SQL injection attacks.
\wxheading{Parameters}
\docparam{value}{The value to be escaped.}
\membersection{wxDb::ExecSql}\label{wxdbexecsql} \membersection{wxDb::ExecSql}\label{wxdbexecsql}
\func{bool}{ExecSql}{\param{const wxString \&}{pSqlStmt}} \func{bool}{ExecSql}{\param{const wxString \&}{pSqlStmt}}

View File

@ -734,6 +734,9 @@ public:
bool FwdOnlyCursors(void) {return fwdOnlyCursors;} bool FwdOnlyCursors(void) {return fwdOnlyCursors;}
// return the string with all special SQL characters escaped
wxString EscapeSqlChars(const wxString& value);
// These two functions are provided strictly for use by wxDbTable. // These two functions are provided strictly for use by wxDbTable.
// DO NOT USE THESE FUNCTIONS, OR MEMORY LEAKS MAY OCCUR // DO NOT USE THESE FUNCTIONS, OR MEMORY LEAKS MAY OCCUR
void incrementTableCount() { nTables++; return; } void incrementTableCount() { nTables++; return; }

View File

@ -4086,6 +4086,28 @@ bool wxDb::ModifyColumn(const wxString &tableName, const wxString &columnName,
} // wxDb::ModifyColumn() } // wxDb::ModifyColumn()
/********** wxDb::EscapeSqlChars() **********/
wxString wxDb::EscapeSqlChars(const wxString& valueOrig)
{
wxString value(valueOrig);
switch (Dbms())
{
case dbmsACCESS:
// Access doesn't seem to care about backslashes, so only escape single quotes.
value.Replace(wxT("'"), wxT("''"));
break;
default:
// All the others are supposed to be the same for now, add special
// handling for them if necessary
value.Replace(wxT("\\"), wxT("\\\\"));
value.Replace(wxT("'"), wxT("\\'"));
break;
}
return value;
} // wxDb::EscapeSqlChars()
/********** wxDbGetConnection() **********/ /********** wxDbGetConnection() **********/
wxDb WXDLLIMPEXP_ODBC *wxDbGetConnection(wxDbConnectInf *pDbConfig, bool FwdOnlyCursors) wxDb WXDLLIMPEXP_ODBC *wxDbGetConnection(wxDbConnectInf *pDbConfig, bool FwdOnlyCursors)

View File

@ -1308,7 +1308,7 @@ void wxDbTable::BuildWhereClause(wxString &pWhereClause, int typeOfWhere,
case SQL_C_WCHAR: case SQL_C_WCHAR:
#endif #endif
//case SQL_C_WXCHAR: SQL_C_WXCHAR is covered by either SQL_C_CHAR or SQL_C_WCHAR //case SQL_C_WXCHAR: SQL_C_WXCHAR is covered by either SQL_C_CHAR or SQL_C_WCHAR
colValue.Printf(wxT("'%s'"), (UCHAR FAR *) colDefs[colNumber].PtrDataObj); colValue.Printf(wxT("'%s'"), GetDb()->EscapeSqlChars((UCHAR FAR *)colDefs[colNumber].PtrDataObj).c_str());
break; break;
case SQL_C_SHORT: case SQL_C_SHORT:
case SQL_C_SSHORT: case SQL_C_SSHORT: