Merge 'sybase_noquote' into 'sybase'

[dbsrgits/DBIx-Class.git] / lib / DBIx / Class / Storage / DBI / NoBindVars.pm

diff --git a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
index 7027ad6..5180f96 100644 (file)
--- a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
+++ b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
@@ -55,7 +55,7 @@ sub _prep_for_execute {
         if(ref $data) {
             $data = ''.$data;
         }
-        $data = $self->_dbh->quote($data);
+        $data = $self->_dbh->quote($data) if $self->should_quote_data_type($datatype, $data);
         $new_sql .= shift(@sql_part) . $data;
     }
   }
@@ -64,6 +64,25 @@ sub _prep_for_execute {
   return ($new_sql, []);
 }
 
+=head2 should_quote_data_type   
+                                
+This method is called by L</_prep_for_execute> for every column in
+order to determine if its value should be quoted or not. The arguments
+are the current column data type and the actual bind value. The return
+value is interpreted as: true - do quote, false - do not quote. You should
+override this in you Storage::DBI::<database> subclass, if your RDBMS
+does not like quotes around certain datatypes (e.g. Sybase and integer
+columns). The default method always returns true (do quote).
+                                
+ WARNING!!!                     
+                                
+ Always validate that the bind-value is valid for the current datatype.
+ Otherwise you may very well open the door to SQL injection attacks.
+                                
+=cut                            
+                                
+sub should_quote_data_type { 1 }
+
 =head1 AUTHORS
 
 Brandon Black <blblack@gmail.com>