X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FDBIx%2FClass%2FStorage%2FDBI%2FNoBindVars.pm;h=c74b9c0c1e251bce1e333fbcceea308c53a44675;hb=5432c6ae1a31569775574edd42cb3e3f6f79cfff;hp=23887622d204ef9718442041eb5d84b9adb558f8;hpb=a4c8f60de274a233052d373013c45af06df2a76c;p=dbsrgits%2FDBIx-Class-Historic.git diff --git a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm index 2388762..c74b9c0 100644 --- a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm +++ b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm @@ -17,60 +17,72 @@ well, as is the case with L =head1 METHODS -=head2 sth +=head2 connect_info -Uses C instead of the usual C, seeing as we can't cache very effectively without bind variables. +We can't cache very effectively without bind variables, so force the C setting to be turned on when the connect info is set. =cut -sub sth { - my ($self, $sql) = @_; - return $self->dbh->prepare($sql); +sub connect_info { + my $self = shift; + my $retval = $self->next::method(@_); + $self->disable_sth_caching(1); + $retval; } -=head2 _execute +=head2 _prep_for_execute -Manually subs in the values for the usual C placeholders before calling L on the generated SQL. +Manually subs in the values for the usual C placeholders. =cut -sub _execute { - my ($self, $op, $extra_bind, $ident, @args) = @_; - my ($sql, @bind) = $self->sql_maker->$op($ident, @args); - unshift(@bind, @$extra_bind) if $extra_bind; - if ($self->debug) { - my @debug_bind = map { defined $_ ? qq{'$_'} : q{'NULL'} } @bind; - $self->debugobj->query_start($sql, @debug_bind); - } +sub _prep_for_execute { + my $self = shift; - $sql =~ s/\?/$self->_dbh->quote(shift(@bind))/eg; + my ($op, $extra_bind, $ident) = @_; - my $sth = eval { $self->sth($sql,$op) }; + my ($sql, $bind) = $self->next::method(@_); - if (!$sth || $@) { - $self->throw_exception( - 'no sth generated via sql (' . ($@ || $self->_dbh->errstr) . "): $sql" - ); - } + # stringify args, quote via $dbh, and manually insert - my $rv; - if ($sth) { - my $time = time(); - $rv = eval { $sth->execute }; + my @sql_part = split /\?/, $sql; + my $new_sql; - if ($@ || !$rv) { - $self->throw_exception("Error executing '$sql': ".($@ || $sth->errstr)); + foreach my $bound (@$bind) { + my $col = shift @$bound; + my $datatype = 'FIXME!!!'; + foreach my $data (@$bound) { + if(ref $data) { + $data = ''.$data; + } + $data = $self->_dbh->quote($data) if $self->should_quote_data_type($datatype, $data); + $new_sql .= shift(@sql_part) . $data; } - } else { - $self->throw_exception("'$sql' did not generate a statement."); - } - if ($self->debug) { - my @debug_bind = map { defined $_ ? qq{`$_'} : q{`NULL'} } @bind; - $self->debugobj->query_end($sql, @debug_bind); } - return (wantarray ? ($rv, $sth, @bind) : $rv); + $new_sql .= join '', @sql_part; + + return ($new_sql); } +=head2 should_quote_data_type + +This method is called by L for every column in +order to determine if its value should be quoted or not. The arguments +are the current column data type and the actual bind value. The return +value is interpreted as: true - do quote, false - do not quote. You should +override this in you Storage::DBI:: subclass, if your RDBMS +does not like quotes around certain datatypes (e.g. Sybase and integer +columns). The default method always returns true (do quote). + + WARNING!!! + + Always validate that the bind-value is valid for the current datatype. + Otherwise you may very well open the door to SQL injection attacks. + +=cut + +sub should_quote_data_type { 1 } + =head1 AUTHORS Brandon Black