[dbsrgits/DBIx-Class.git] / lib / DBIx / Class / Storage / DBI / NoBindVars.pm

package DBIx::Class::Storage::DBI::NoBindVars;

use strict;
use warnings;

use base 'DBIx::Class::Storage::DBI';
use mro 'c3';

=head1 NAME 

DBIx::Class::Storage::DBI::NoBindVars - Sometime DBDs have poor to no support for bind variables

=head1 DESCRIPTION

This class allows queries to work when the DBD or underlying library does not
support the usual C<?> placeholders, or at least doesn't support them very
well, as is the case with L<DBD::Sybase>

=head1 METHODS

=head2 connect_info

We can't cache very effectively without bind variables, so force the C<disable_sth_caching> setting to be turned on when the connect info is set.

=cut

sub connect_info {
    my $self = shift;
    my $retval = $self->next::method(@_);
    $self->disable_sth_caching(1);
    $retval;
}

=head2 _prep_for_execute

Manually subs in the values for the usual C<?> placeholders.

=cut

sub _prep_for_execute {
  my $self = shift;

  my ($op, $extra_bind, $ident, $args) = @_;

  my ($sql, $bind) = $self->next::method(@_);

  # stringify args, quote via $dbh, and manually insert

  my @sql_part = split /\?/, $sql;
  my $new_sql;

  my $col_info = $self->_resolve_column_info($ident, [ map $_->[0], @$bind ]);

  foreach my $bound (@$bind) {
    my $col = shift @$bound;

    my $datatype = $col_info->{$col}{data_type};

    foreach my $data (@$bound) {
      $data = ''.$data if ref $data;

      $data = $self->_dbh->quote($data)
        if $self->should_quote_value($datatype, $data);

      $new_sql .= shift(@sql_part) . $data;
    }
  }
  $new_sql .= join '', @sql_part;

  return ($new_sql, []);
}

=head2 should_quote_value
                                
This method is called by L</_prep_for_execute> for every column in
order to determine if its value should be quoted or not. The arguments
are the current column data type and the actual bind value. The return
value is interpreted as: true - do quote, false - do not quote. You should
override this in you Storage::DBI::<database> subclass, if your RDBMS
does not like quotes around certain datatypes (e.g. Sybase and integer
columns). The default method always returns true (do quote).
                                
 WARNING!!!                     
                                
 Always validate that the bind-value is valid for the current datatype.
 Otherwise you may very well open the door to SQL injection attacks.
                                
=cut                            
                                
sub should_quote_value { 1 }

=head1 AUTHORS

Brandon Black <blblack@gmail.com>

Trym Skaar <trym@tryms.no>

=head1 LICENSE

You may distribute this code under the same terms as Perl itself.

=cut

1;
Commit	Line	Data
3885cff6	1	package DBIx::Class::Storage::DBI::NoBindVars;
	2
	3	use strict;
	4	use warnings;
	5
	6	use base 'DBIx::Class::Storage::DBI';
2ad62d97	7	use mro 'c3';
3885cff6	8
b43345f2	9	=head1 NAME
	10
	11	DBIx::Class::Storage::DBI::NoBindVars - Sometime DBDs have poor to no support for bind variables
	12
	13	=head1 DESCRIPTION
	14
	15	This class allows queries to work when the DBD or underlying library does not
	16	support the usual C<?> placeholders, or at least doesn't support them very
	17	well, as is the case with L<DBD::Sybase>
	18
	19	=head1 METHODS
	20
b33697ef	21	=head2 connect_info
b43345f2	22
b33697ef	23	We can't cache very effectively without bind variables, so force the C<disable_sth_caching> setting to be turned on when the connect info is set.
b43345f2	24
	25	=cut
	26
b33697ef	27	sub connect_info {
b33697ef	28	my $self = shift;
d944c5ae	29	my $retval = $self->next::method(@_);
b33697ef	30	$self->disable_sth_caching(1);
b33697ef	31	$retval;
b43345f2	32	}
b43345f2	33
d5130dd2	34	=head2 _prep_for_execute
b43345f2	35
d5130dd2	36	Manually subs in the values for the usual C<?> placeholders.
b43345f2	37
	38	=cut
	39
d5130dd2	40	sub _prep_for_execute {
d5130dd2	41	my $self = shift;
b50a5275	42
0c449973	43	my ($op, $extra_bind, $ident, $args) = @_;
b50a5275	44
d944c5ae	45	my ($sql, $bind) = $self->next::method(@_);
	46
	47	# stringify args, quote via $dbh, and manually insert
	48
b4474f31	49	my @sql_part = split /\?/, $sql;
	50	my $new_sql;
	51
28cea3aa	52	my $col_info = $self->_resolve_column_info($ident, [ map $_->[0], @$bind ]);
a49fe312	53
d944c5ae	54	foreach my $bound (@$bind) {
b50a5275	55	my $col = shift @$bound;
b55e97a7	56
28cea3aa	57	my $datatype = $col_info->{$col}{data_type};
b55e97a7	58
d944c5ae	59	foreach my $data (@$bound) {
7d17f469	60	$data = ''.$data if ref $data;
6636ad53	61
7d17f469	62	$data = $self->_dbh->quote($data)
7d17f469	63	if $self->should_quote_value($datatype, $data);
6636ad53	64
7d17f469	65	$new_sql .= shift(@sql_part) . $data;
d944c5ae	66	}
d944c5ae	67	}
b4474f31	68	$new_sql .= join '', @sql_part;
d5130dd2	69
01c04b1b	70	return ($new_sql, []);
3885cff6	71	}
3885cff6	72
7d17f469	73	=head2 should_quote_value
0c1bedfc	74
148e3b50	75	This method is called by L</_prep_for_execute> for every column in
	76	order to determine if its value should be quoted or not. The arguments
	77	are the current column data type and the actual bind value. The return
	78	value is interpreted as: true - do quote, false - do not quote. You should
	79	override this in you Storage::DBI::<database> subclass, if your RDBMS
	80	does not like quotes around certain datatypes (e.g. Sybase and integer
	81	columns). The default method always returns true (do quote).
0c1bedfc	82
	83	WARNING!!!
	84
148e3b50	85	Always validate that the bind-value is valid for the current datatype.
148e3b50	86	Otherwise you may very well open the door to SQL injection attacks.
0c1bedfc	87
	88	=cut
	89
7d17f469	90	sub should_quote_value { 1 }
148e3b50	91
3885cff6	92	=head1 AUTHORS
	93
	94	Brandon Black <blblack@gmail.com>
b43345f2	95
7762b22c	96	Trym Skaar <trym@tryms.no>
3885cff6	97
	98	=head1 LICENSE
	99
	100	You may distribute this code under the same terms as Perl itself.
	101
	102	=cut
b43345f2	103
b43345f2	104	1;