X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FDBIx%2FClass%2FStorage%2FDBI%2FNoBindVars.pm;h=495b3c85dd8333b64b433efc715c0a77f6311587;hb=87b1255103d7b8873b225416cb381c50011f4c06;hp=565178e9a05a22bd3c4516ea217317acf3af0e56;hpb=0f6e30eee38ebbf4e1b636cdfbea06333741685a;p=dbsrgits%2FDBIx-Class.git

diff --git a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
index 565178e..495b3c8 100644
--- a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
+++ b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
@@ -4,8 +4,11 @@ use strict;
 use warnings;
 
 use base 'DBIx::Class::Storage::DBI';
+use mro 'c3';
 
-=head1 NAME 
+use DBIx::Class::SQLMaker::LimitDialects;
+
+=head1 NAME
 
 DBIx::Class::Storage::DBI::NoBindVars - Sometime DBDs have poor to no support for bind variables
 
@@ -17,72 +20,112 @@ well, as is the case with L<DBD::Sybase>
 
 =head1 METHODS
 
-=head2 sth
+=head2 connect_info
 
-Uses C<prepare> instead of the usual C<prepare_cached>, seeing as we can't cache very effectively without bind variables.
+We can't cache very effectively without bind variables, so force the C<disable_sth_caching> setting to be turned on when the connect info is set.
 
 =cut
 
-sub sth {
-  my ($self, $sql) = @_;
-  return $self->dbh->prepare($sql);
+sub connect_info {
+    my $self = shift;
+    my $retval = $self->next::method(@_);
+    $self->disable_sth_caching(1);
+    $retval;
 }
 
-=head2 _execute
+=head2 _prep_for_execute
 
-Manually subs in the values for the usual C<?> placeholders before calling L</sth> on the generated SQL.
+Manually subs in the values for the usual C<?> placeholders.
 
 =cut
 
-sub _execute {
-  my ($self, $op, $extra_bind, $ident, @args) = @_;
-  my ($sql, @bind) = $self->sql_maker->$op($ident, @args);
-  unshift(@bind, @$extra_bind) if $extra_bind;
-  if ($self->debug) {
-    my @debug_bind = map { defined $_ ? qq{'$_'} : q{'NULL'} } @bind;
-    $self->debugobj->query_start($sql, @debug_bind);
-  }
+sub _prep_for_execute {
+  my $self = shift;
 
-  while(my $bvar = shift @bind) {
-    $bvar = $self->_dbh->quote($bvar);
-    $sql =~ s/\?/$bvar/;
-  }
+  my ($sql, $bind) = $self->next::method(@_);
 
-  my $sth = eval { $self->sth($sql,$op) };
+  # stringify bind args, quote via $dbh, and manually insert
+  #my ($op, $ident, $args) = @_;
+  my $ident = $_[1];
 
-  if (!$sth || $@) {
-    $self->throw_exception(
-      'no sth generated via sql (' . ($@ || $self->_dbh->errstr) . "): $sql"
-    );
-  }
+  my @sql_part = split /\?/, $sql;
+  my $new_sql;
 
-  my $rv;
-  if ($sth) {
-    my $time = time();
-    $rv = eval { $sth->execute };
+  for (@$bind) {
+    my $data = (ref $_->[1]) ? "$_->[1]" : $_->[1]; # always stringify, array types are currently not supported
 
-    if ($@ || !$rv) {
-      $self->throw_exception("Error executing '$sql': ".($@ || $sth->errstr));
-    }
-  } else {
-    $self->throw_exception("'$sql' did not generate a statement.");
-  }
-  if ($self->debug) {
-    my @debug_bind = map { defined $_ ? qq{`$_'} : q{`NULL'} } @bind;
-    $self->debugobj->query_end($sql, @debug_bind);
+    my $datatype = $_->[0]{sqlt_datatype};
+
+    $data = $self->_prep_interpolated_value($datatype, $data)
+      if $datatype;
+
+    $data = $self->_get_dbh->quote($data)
+      unless ($datatype and $self->interpolate_unquoted($datatype, $data) );
+
+    $new_sql .= shift(@sql_part) . $data;
   }
-  return (wantarray ? ($rv, $sth, @bind) : $rv);
+
+  $new_sql .= join '', @sql_part;
+
+  return ($new_sql, []);
 }
 
-=head1 AUTHORS
+=head2 interpolate_unquoted
+
+This method is called by L</_prep_for_execute> for every column in
+order to determine if its value should be quoted or not. The arguments
+are the current column data type and the actual bind value. The return
+value is interpreted as: true - do not quote, false - do quote. You should
+override this in you Storage::DBI::<database> subclass, if your RDBMS
+does not like quotes around certain datatypes (e.g. Sybase and integer
+columns). The default method returns false, except for integer datatypes
+paired with values containing nothing but digits.
+
+ WARNING!!!
+
+ Always validate that the bind-value is valid for the current datatype.
+ Otherwise you may very well open the door to SQL injection attacks.
+
+=cut
+
+sub interpolate_unquoted {
+  #my ($self, $datatype, $value) = @_;
+
+  return 1 if (
+    defined $_[2]
+      and
+    $_[1]
+      and
+    $_[2] !~ /[^0-9]/
+      and
+    $_[1] =~ /int(?:eger)? | (?:tiny|small|medium|big)int/ix
+  );
+
+  return 0;
+}
+
+=head2 _prep_interpolated_value
+
+Given a datatype and the value to be inserted directly into a SQL query, returns
+the necessary string to represent that value (by e.g. adding a '$' sign)
+
+=cut
+
+sub _prep_interpolated_value {
+  #my ($self, $datatype, $value) = @_;
+  return $_[2];
+}
 
-Brandon Black <blblack@gmail.com>
+=head1 FURTHER QUESTIONS?
 
-Trym Skaar <trym@tryms.no>
+Check the list of L<additional DBIC resources|DBIx::Class/GETTING HELP/SUPPORT>.
 
-=head1 LICENSE
+=head1 COPYRIGHT AND LICENSE
 
-You may distribute this code under the same terms as Perl itself.
+This module is free software L<copyright|DBIx::Class/COPYRIGHT AND LICENSE>
+by the L<DBIx::Class (DBIC) authors|DBIx::Class/AUTHORS>. You can
+redistribute it and/or modify it under the same terms as the
+L<DBIx::Class library|DBIx::Class/COPYRIGHT AND LICENSE>.
 
 =cut