From: Peter Rabbitson Date: Tue, 21 Dec 2010 16:24:29 +0000 (+0100) Subject: Consolidate the injection_guard checks, fix bobby's name X-Git-Tag: v1.72~1 X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=170e6c33a3262ece53aa79249d9a8d1149bc4c35;p=dbsrgits%2FSQL-Abstract.git Consolidate the injection_guard checks, fix bobby's name --- diff --git a/lib/SQL/Abstract.pm b/lib/SQL/Abstract.pm index 6ed7985..7fcea73 100644 --- a/lib/SQL/Abstract.pm +++ b/lib/SQL/Abstract.pm @@ -117,6 +117,17 @@ sub new { return bless \%opt, $class; } + +sub _assert_pass_injection_guard { + if ($_[1] =~ $_[0]->{injection_guard}) { + my $class = ref $_[0]; + puke "Possible SQL injection attempt '$_[1]'. If this is indeed a part of the " + . "desired SQL use literal SQL ( \'...' or \[ '...' ] ) or supply your own " + . "{injection_guard} attribute to ${class}->new()" + } +} + + #====================================================================== # INSERT methods #====================================================================== @@ -547,13 +558,7 @@ sub _where_unary_op { $self->debug("Generic unary OP: $op - recursing as function"); - if ($op =~ $self->{injection_guard}) { - my $class = ref $self; - - puke "Possible SQL injection attempt '$op'. If this is indeed a part of the " - . "desired SQL use literal SQL ( \'...' or \[ '...' ] ) or supply your own " - . "{injection_guard} attribute to ${class}->new()" - } + $self->_assert_pass_injection_guard($op); my ($sql, @bind) = $self->_SWITCH_refkind ($rhs, { SCALAR => sub { @@ -713,14 +718,7 @@ sub _where_hashpair_HASHREF { $op =~ s/^\s+|\s+$//g;# remove leading/trailing space $op =~ s/\s+/ /g; # compress whitespace - if ($op =~ $self->{injection_guard}) { - my $class = ref $self; - - puke "Possible SQL injection attempt '$op'. If this is indeed a part of the " - . "desired SQL use literal SQL ( \'...' or \[ '...' ] ) or supply your own " - . "{injection_guard} attribute to ${class}->new()" - } - + $self->_assert_pass_injection_guard($op); # so that -not_foo works correctly $op =~ s/^not_/NOT /i; @@ -1167,14 +1165,7 @@ sub _quote { return ${$_[1]} if ref($_[1]) eq 'SCALAR'; unless ($_[0]->{quote_char}) { - - if ($_[1] =~ $_[0]->{injection_guard}) { - my $class = ref $_[0]; - puke "Possible SQL injection attempt '$_[1]'. If this is indeed a part of the " - . "desired SQL use literal SQL ( \'...' or \[ '...' ] ) or supply your own " - . "{injection_guard} attribute to ${class}->new()"; - } - + $_[0]->_assert_pass_injection_guard($_[1]); return $_[1]; } diff --git a/t/20injection_guard.t b/t/20injection_guard.t index ee1b825..6a317bd 100644 --- a/t/20injection_guard.t +++ b/t/20injection_guard.t @@ -12,19 +12,19 @@ throws_ok( sub { $sqla->select( 'foo', [ 'bar' ], - { 'boby; tables' => 'bar' }, + { 'bobby; tables' => 'bar' }, ); }, qr/Possible SQL injection attempt/, 'Injection thwarted on unquoted column' ); my ($sql, @bind) = $sqla_q->select( 'foo', [ 'bar' ], - { 'boby; tables' => 'bar' }, + { 'bobby; tables' => 'bar' }, ); is_same_sql_bind ( $sql, \@bind, - 'SELECT "bar" FROM "foo" WHERE ( "boby; tables" = ? )', + 'SELECT "bar" FROM "foo" WHERE ( "bobby; tables" = ? )', [ 'bar' ], 'Correct sql with quotes on' );