From: Peter Rabbitson <ribasushi@cpan.org>
Date: Tue, 21 Dec 2010 16:24:29 +0000 (+0100)
Subject: Consolidate the injection_guard checks, fix bobby's name
X-Git-Tag: v1.72~1
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=dbsrgits%2FSQL-Abstract.git;a=commitdiff_plain;h=170e6c33a3262ece53aa79249d9a8d1149bc4c35

Consolidate the injection_guard checks, fix bobby's name
---

diff --git a/lib/SQL/Abstract.pm b/lib/SQL/Abstract.pm
index 6ed7985..7fcea73 100644
--- a/lib/SQL/Abstract.pm
+++ b/lib/SQL/Abstract.pm
@@ -117,6 +117,17 @@ sub new {
   return bless \%opt, $class;
 }
 
+
+sub _assert_pass_injection_guard {
+  if ($_[1] =~ $_[0]->{injection_guard}) {
+    my $class = ref $_[0];
+    puke "Possible SQL injection attempt '$_[1]'. If this is indeed a part of the "
+     . "desired SQL use literal SQL ( \'...' or \[ '...' ] ) or supply your own "
+     . "{injection_guard} attribute to ${class}->new()"
+  }
+}
+
+
 #======================================================================
 # INSERT methods
 #======================================================================
@@ -547,13 +558,7 @@ sub _where_unary_op {
 
   $self->debug("Generic unary OP: $op - recursing as function");
 
-  if ($op =~ $self->{injection_guard}) {
-    my $class = ref $self;
-
-    puke "Possible SQL injection attempt '$op'. If this is indeed a part of the "
-     . "desired SQL use literal SQL ( \'...' or \[ '...' ] ) or supply your own "
-     . "{injection_guard} attribute to ${class}->new()"
-  }
+  $self->_assert_pass_injection_guard($op);
 
   my ($sql, @bind) = $self->_SWITCH_refkind ($rhs, {
     SCALAR =>   sub {
@@ -713,14 +718,7 @@ sub _where_hashpair_HASHREF {
     $op =~ s/^\s+|\s+$//g;# remove leading/trailing space
     $op =~ s/\s+/ /g;     # compress whitespace
 
-    if ($op =~ $self->{injection_guard}) {
-      my $class = ref $self;
-
-      puke "Possible SQL injection attempt '$op'. If this is indeed a part of the "
-       . "desired SQL use literal SQL ( \'...' or \[ '...' ] ) or supply your own "
-       . "{injection_guard} attribute to ${class}->new()"
-    }
-
+    $self->_assert_pass_injection_guard($op);
 
     # so that -not_foo works correctly
     $op =~ s/^not_/NOT /i;
@@ -1167,14 +1165,7 @@ sub _quote {
   return ${$_[1]} if ref($_[1]) eq 'SCALAR';
 
   unless ($_[0]->{quote_char}) {
-
-    if ($_[1] =~ $_[0]->{injection_guard}) {
-      my $class = ref $_[0];
-      puke "Possible SQL injection attempt '$_[1]'. If this is indeed a part of the "
-         . "desired SQL use literal SQL ( \'...' or \[ '...' ] ) or supply your own "
-         . "{injection_guard} attribute to ${class}->new()";
-    }
-
+    $_[0]->_assert_pass_injection_guard($_[1]);
     return $_[1];
   }
 
diff --git a/t/20injection_guard.t b/t/20injection_guard.t
index ee1b825..6a317bd 100644
--- a/t/20injection_guard.t
+++ b/t/20injection_guard.t
@@ -12,19 +12,19 @@ throws_ok( sub {
   $sqla->select(
     'foo',
     [ 'bar' ],
-    { 'boby; tables' => 'bar' },
+    { 'bobby; tables' => 'bar' },
   );
 }, qr/Possible SQL injection attempt/, 'Injection thwarted on unquoted column' );
 
 my ($sql, @bind) = $sqla_q->select(
   'foo',
   [ 'bar' ],
-  { 'boby; tables' => 'bar' },
+  { 'bobby; tables' => 'bar' },
 );
 
 is_same_sql_bind (
   $sql, \@bind,
-  'SELECT "bar" FROM "foo" WHERE ( "boby; tables" = ? )',
+  'SELECT "bar" FROM "foo" WHERE ( "bobby; tables" = ? )',
   [ 'bar' ],
   'Correct sql with quotes on'
 );