X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FDBIx%2FClass%2FStorage%2FDBI%2FNoBindVars.pm;h=637e41140f833d154f009a4fce47a048a775c753;hb=6636ad53c7480e9546c2a0a3ecaa5a807874c819;hp=349f658800b98a7554918851e11f86ab425b1ad3;hpb=35e3ee0e6d75e25434046bdf26ef760f4dcd264b;p=dbsrgits%2FDBIx-Class-Historic.git

diff --git a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
index 349f658..637e411 100644
--- a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
+++ b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
@@ -4,6 +4,8 @@ use strict;
 use warnings;
 
 use base 'DBIx::Class::Storage::DBI';
+use Scalar::Util ();
+use Carp::Clan qw/^DBIx::Class/;
 
 =head1 NAME 
 
@@ -39,7 +41,7 @@ Manually subs in the values for the usual C<?> placeholders.
 sub _prep_for_execute {
   my $self = shift;
 
-  my ($op, $extra_bind, $ident) = @_;
+  my ($op, $extra_bind, $ident, $args) = @_;
 
   my ($sql, $bind) = $self->next::method(@_);
 
@@ -48,22 +50,55 @@ sub _prep_for_execute {
   my @sql_part = split /\?/, $sql;
   my $new_sql;
 
+  my $alias2src = $self->_resolve_ident_sources($ident);
+
   foreach my $bound (@$bind) {
     my $col = shift @$bound;
-    my $datatype = 'FIXME!!!';
+
+    my $name_sep   = $self->_sql_maker_opts->{name_sep} || '.';
+    my $quote_char = $self->_sql_maker_opts->{quote_char} || '';
+    $quote_char    = join '', @$quote_char if ref $quote_char eq 'ARRAY';
+
+    $col =~ s/[\Q${quote_char}\E]//g if $quote_char;
+    $col =~ s/^([^\Q${name_sep}\E]*)\Q${name_sep}\E//;
+    my $alias = $1 || 'me';
+
+    my $rsrc = $alias2src->{$alias};
+
+    my $datatype = $rsrc && $rsrc->column_info($col)->{data_type};
+
     foreach my $data (@$bound) {
-        if(ref $data) {
-            $data = ''.$data;
-        }
-        $data = $self->_dbh->quote($data);
+        $data = ''.$data if ref $data;
+
+        $data = $self->_dbh->quote($data) if $self->should_quote($datatype, $data);
+
         $new_sql .= shift(@sql_part) . $data;
     }
   }
   $new_sql .= join '', @sql_part;
 
-  return ($new_sql);
+  return ($new_sql, []);
 }
 
+=head2 should_quote
+                                
+This method is called by L</_prep_for_execute> for every column in
+order to determine if its value should be quoted or not. The arguments
+are the current column data type and the actual bind value. The return
+value is interpreted as: true - do quote, false - do not quote. You should
+override this in you Storage::DBI::<database> subclass, if your RDBMS
+does not like quotes around certain datatypes (e.g. Sybase and integer
+columns). The default method always returns true (do quote).
+                                
+ WARNING!!!                     
+                                
+ Always validate that the bind-value is valid for the current datatype.
+ Otherwise you may very well open the door to SQL injection attacks.
+                                
+=cut                            
+                                
+sub should_quote { 1 }
+
 =head1 AUTHORS
 
 Brandon Black <blblack@gmail.com>