From c16ee37a7106c645a0d17cc6bd8d399e20f61d96 Mon Sep 17 00:00:00 2001
From: Bung <crc32@qq.com>
Date: Fri, 4 Sep 2020 17:04:27 +0800
Subject: [PATCH] Fix #15219 SQL escape in db_mysql is not enough  (#15234)

---
 lib/impure/db_mysql.nim | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/lib/impure/db_mysql.nim b/lib/impure/db_mysql.nim
index c96829830d289..c3bcee677b407 100644
--- a/lib/impure/db_mysql.nim
+++ b/lib/impure/db_mysql.nim
@@ -118,10 +118,24 @@ when false:
 
 proc dbQuote*(s: string): string =
   ## DB quotes the string.
-  result = "'"
+  result = newStringOfCap(s.len + 2)
+  result.add "'"
   for c in items(s):
-    if c == '\'': add(result, "''")
-    else: add(result, c)
+    # see https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html#mysql-escaping
+    case c
+    of '\0': result.add "\\0"
+    of '\b': result.add "\\b"
+    of '\t': result.add "\\t"
+    of '\l': result.add "\\n"
+    of '\r': result.add "\\r"
+    of '\x1a': result.add "\\Z"
+    of '"': result.add "\\\""
+    of '%': result.add "\\%"
+    of '\'': result.add "\\'"
+    of '\\': result.add "\\\\"
+    of '_': result.add "\\_"
+    of Letters+Digits: result.add c
+    else: result.add "\\" & $ord(c)
   add(result, '\'')
 
 proc dbFormat(formatstr: SqlQuery, args: varargs[string]): string =