Fix #15219 SQL escape in db_mysql is not enough (#15234)

1 files changed, 17 insertions, 3 deletions

diff --git a/lib/impure/db_mysql.nim b/lib/impure/db_mysql.nim
index c96829830..c3bcee677 100644
--- a/lib/impure/db_mysql.nim
+++ b/lib/impure/db_mysql.nim
@@ -118,10 +118,24 @@ when false:
 
 proc dbQuote*(s: string): string =
   ## DB quotes the string.
-  result = "'"
+  result = newStringOfCap(s.len + 2)
+  result.add "'"
   for c in items(s):
-    if c == '\'': add(result, "''")
-    else: add(result, c)
+    # see https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html#mysql-escaping
+    case c
+    of '\0': result.add "\\0"
+    of '\b': result.add "\\b"
+    of '\t': result.add "\\t"
+    of '\l': result.add "\\n"
+    of '\r': result.add "\\r"
+    of '\x1a': result.add "\\Z"
+    of '"': result.add "\\\""
+    of '%': result.add "\\%"
+    of '\'': result.add "\\'"
+    of '\\': result.add "\\\\"
+    of '_': result.add "\\_"
+    of Letters+Digits: result.add c
+    else: result.add "\\" & $ord(c)
   add(result, '\'')
 
 proc dbFormat(formatstr: SqlQuery, args: varargs[string]): string =