Skip to content

Commit

Permalink
Fix #15219 SQL escape in db_mysql is not enough (#15234)
Browse files Browse the repository at this point in the history
  • Loading branch information
@bung87
bung87 authored Sep 4, 2020
1 parent 77df023 commit c16ee37
Showing 1 changed file with 17 additions and 3 deletions.
20 changes: 17 additions & 3 deletions lib/impure/db_mysql.nim
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,10 +118,24 @@ when false:

proc dbQuote*(s: string): string =
## DB quotes the string.
result = "'"
result = newStringOfCap(s.len + 2)
result.add "'"
for c in items(s):
if c == '\'': add(result, "''")
else: add(result, c)
# see https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html#mysql-escaping
case c
of '\0': result.add "\\0"
of '\b': result.add "\\b"
of '\t': result.add "\\t"
of '\l': result.add "\\n"
of '\r': result.add "\\r"
of '\x1a': result.add "\\Z"
of '"': result.add "\\\""
of '%': result.add "\\%"

This comment has been minimized.

Sign in to view

Copy link
@ba0f3

ba0f3 Nov 16, 2020

Contributor

escape of % causes text search with LIKE stop working.

conn.getRow(sql"SELECT * FROM user WHERE username LIKE ?", "admin%")
of '\'': result.add "\\'"
of '\\': result.add "\\\\"
of '_': result.add "\\_"
of Letters+Digits: result.add c
else: result.add "\\" & $ord(c)
add(result, '\'')

proc dbFormat(formatstr: SqlQuery, args: varargs[string]): string =
Expand Down

0 comments on commit c16ee37

Please sign in to comment.