X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FDBIx%2FClass%2FStorage%2FDBI%2FNoBindVars.pm;h=126b9de2bd28327ee1ceefa19f04626dd7906d54;hb=bc144884abdf828846ecc29122647fdaf1ac2487;hp=c5fa9af010858c47c33c015d06618b1793659308;hpb=d944c5aea7c21750ce97107aacb50db173ff2ddb;p=dbsrgits%2FDBIx-Class-Historic.git

diff --git a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
index c5fa9af..126b9de 100644
--- a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
+++ b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
@@ -4,6 +4,7 @@ use strict;
 use warnings;
 
 use base 'DBIx::Class::Storage::DBI';
+use mro 'c3';
 
 =head1 NAME 
 
@@ -38,23 +39,68 @@ Manually subs in the values for the usual C<?> placeholders.
 
 sub _prep_for_execute {
   my $self = shift;
+
+  my ($op, $extra_bind, $ident, $args) = @_;
+
   my ($sql, $bind) = $self->next::method(@_);
 
   # stringify args, quote via $dbh, and manually insert
 
+  my @sql_part = split /\?/, $sql;
+  my $new_sql;
+
+  my $col_info = $self->_resolve_column_info($ident, [ map $_->[0], @$bind ]);
+
   foreach my $bound (@$bind) {
-    shift @$bound;
+    my $col = shift @$bound;
+
+    my $datatype = $col_info->{$col}{data_type};
+
     foreach my $data (@$bound) {
-        if(ref $data) {
-            $data = ''.$data;
-        }
-        $sql =~ s/\?/$self->_dbh->quote($data)/e;
+      $data = ''.$data if ref $data;
+
+      $data = $self->transform_unbound_value($datatype, $data)
+        if $datatype;
+
+      $data = $self->_dbh->quote($data)
+        if (!$datatype || $self->should_quote_value($datatype, $data));
+
+      $new_sql .= shift(@sql_part) . $data;
     }
   }
+  $new_sql .= join '', @sql_part;
 
-  return ($sql);
+  return ($new_sql, []);
 }
 
+=head2 should_quote_value
+
+This method is called by L</_prep_for_execute> for every column in
+order to determine if its value should be quoted or not. The arguments
+are the current column data type and the actual bind value. The return
+value is interpreted as: true - do quote, false - do not quote. You should
+override this in you Storage::DBI::<database> subclass, if your RDBMS
+does not like quotes around certain datatypes (e.g. Sybase and integer
+columns). The default method always returns true (do quote).
+
+ WARNING!!!                     
+
+ Always validate that the bind-value is valid for the current datatype.
+ Otherwise you may very well open the door to SQL injection attacks.
+
+=cut                            
+
+sub should_quote_value { 1 }
+
+=head2 transform_unbound_value
+
+Given a datatype and the value to be inserted directly into a SQL query, returns
+the necessary SQL fragment to represent that value.
+
+=cut
+
+sub transform_unbound_value { $_[2] }
+
 =head1 AUTHORS
 
 Brandon Black <blblack@gmail.com>