X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FDBIx%2FClass%2FStorage%2FDBI%2FNoBindVars.pm;h=c74b9c0c1e251bce1e333fbcceea308c53a44675;hb=5432c6ae1a31569775574edd42cb3e3f6f79cfff;hp=c5fa9af010858c47c33c015d06618b1793659308;hpb=d944c5aea7c21750ce97107aacb50db173ff2ddb;p=dbsrgits%2FDBIx-Class-Historic.git diff --git a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm index c5fa9af..c74b9c0 100644 --- a/lib/DBIx/Class/Storage/DBI/NoBindVars.pm +++ b/lib/DBIx/Class/Storage/DBI/NoBindVars.pm @@ -38,23 +38,51 @@ Manually subs in the values for the usual C placeholders. sub _prep_for_execute { my $self = shift; + + my ($op, $extra_bind, $ident) = @_; + my ($sql, $bind) = $self->next::method(@_); # stringify args, quote via $dbh, and manually insert + my @sql_part = split /\?/, $sql; + my $new_sql; + foreach my $bound (@$bind) { - shift @$bound; + my $col = shift @$bound; + my $datatype = 'FIXME!!!'; foreach my $data (@$bound) { if(ref $data) { $data = ''.$data; } - $sql =~ s/\?/$self->_dbh->quote($data)/e; + $data = $self->_dbh->quote($data) if $self->should_quote_data_type($datatype, $data); + $new_sql .= shift(@sql_part) . $data; } } + $new_sql .= join '', @sql_part; - return ($sql); + return ($new_sql); } +=head2 should_quote_data_type + +This method is called by L for every column in +order to determine if its value should be quoted or not. The arguments +are the current column data type and the actual bind value. The return +value is interpreted as: true - do quote, false - do not quote. You should +override this in you Storage::DBI:: subclass, if your RDBMS +does not like quotes around certain datatypes (e.g. Sybase and integer +columns). The default method always returns true (do quote). + + WARNING!!! + + Always validate that the bind-value is valid for the current datatype. + Otherwise you may very well open the door to SQL injection attacks. + +=cut + +sub should_quote_data_type { 1 } + =head1 AUTHORS Brandon Black