escape special SQL chars in where clauses (patch 1204728)

git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@42676 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
2006-10-29 21:49:37 +00:00 · 2006-10-29 21:49:37 +00:00 · 9eb11d19b1
commit 9eb11d19b1
parent 735a74df5c
4 changed files with 45 additions and 1 deletions
--- a/docs/latex/wx/db.tex
+++ b/docs/latex/wx/db.tex
@ -707,6 +707,25 @@ Drops the data table view named in 'viewName'.

 If the view does not exist, this function will return true.  Note that views are not supported with all datasources.

+\membersection{wxDb::EscapeSqlChars}\label{wxdbescapesqlchars}
+
+\func{wxString}{EscapeSqlChars}{\param{const wxString\& }{value}}
+
+This function is used internally by wxWidgets while building SQL statements.
+It has been provided to help users who wish to explicity construct SQL
+statements to be sent to the server.  The function takes the value passed and
+returns it with any special characters escaped.  Which characters are
+considered special depends on what type of datasource the object is connected
+to.  For example, most database servers use a backslash as the escape
+character; if the value passed contains a backlash it will be replaced with a
+double backslash before it is passed to the server.  This function can be used
+to avoid passing statements with syntax errors to the server as well as prevent
+SQL injection attacks.
+
+\wxheading{Parameters}
+
+\docparam{value}{The value to be escaped.}
+
 \membersection{wxDb::ExecSql}\label{wxdbexecsql}

 \func{bool}{ExecSql}{\param{const wxString \&}{pSqlStmt}}
--- a/include/wx/db.h
+++ b/include/wx/db.h
@ -734,6 +734,9 @@ public:

    bool         FwdOnlyCursors(void)  {return fwdOnlyCursors;}

+    // return the string with all special SQL characters escaped
+    wxString     EscapeSqlChars(const wxString& value);
+
    // These two functions are provided strictly for use by wxDbTable.
    // DO NOT USE THESE FUNCTIONS, OR MEMORY LEAKS MAY OCCUR
    void         incrementTableCount() { nTables++; return; }
--- a/src/common/db.cpp
+++ b/src/common/db.cpp
@ -4086,6 +4086,28 @@ bool wxDb::ModifyColumn(const wxString &tableName, const wxString &columnName,

 } // wxDb::ModifyColumn()

+/********** wxDb::EscapeSqlChars() **********/
+wxString wxDb::EscapeSqlChars(const wxString& valueOrig)
+{
+    wxString value(valueOrig);
+    switch (Dbms())
+    {
+        case dbmsACCESS:
+            // Access doesn't seem to care about backslashes, so only escape single quotes.
+            value.Replace(wxT("'"), wxT("''"));
+            break;
+
+        default:
+            // All the others are supposed to be the same for now, add special
+            // handling for them if necessary
+            value.Replace(wxT("\\"), wxT("\\\\"));
+            value.Replace(wxT("'"), wxT("\\'"));
+            break;
+    }
+
+    return value;
+} // wxDb::EscapeSqlChars()
+

 /********** wxDbGetConnection() **********/
 wxDb WXDLLIMPEXP_ODBC *wxDbGetConnection(wxDbConnectInf *pDbConfig, bool FwdOnlyCursors)
--- a/src/common/dbtable.cpp
+++ b/src/common/dbtable.cpp
@ -1308,7 +1308,7 @@ void wxDbTable::BuildWhereClause(wxString &pWhereClause, int typeOfWhere,
                case SQL_C_WCHAR:
 #endif
                //case SQL_C_WXCHAR:  SQL_C_WXCHAR is covered by either SQL_C_CHAR or SQL_C_WCHAR
-                    colValue.Printf(wxT("'%s'"), (UCHAR FAR *) colDefs[colNumber].PtrDataObj);
+                    colValue.Printf(wxT("'%s'"), GetDb()->EscapeSqlChars((UCHAR FAR *)colDefs[colNumber].PtrDataObj).c_str());
                    break;
                case SQL_C_SHORT:
                case SQL_C_SSHORT: