diff options
Diffstat (limited to 'lib/impure')
| -rw-r--r-- | lib/impure/db_mysql.nim | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/lib/impure/db_mysql.nim b/lib/impure/db_mysql.nim index c96829830..c3bcee677 100644 --- a/lib/impure/db_mysql.nim +++ b/lib/impure/db_mysql.nim @@ -118,10 +118,24 @@ when false: proc dbQuote*(s: string): string = ## DB quotes the string. - result = "'" + result = newStringOfCap(s.len + 2) + result.add "'" for c in items(s): - if c == '\'': add(result, "''") - else: add(result, c) + # see https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html#mysql-escaping + case c + of '\0': result.add "\\0" + of '\b': result.add "\\b" + of '\t': result.add "\\t" + of '\l': result.add "\\n" + of '\r': result.add "\\r" + of '\x1a': result.add "\\Z" + of '"': result.add "\\\"" + of '%': result.add "\\%" + of '\'': result.add "\\'" + of '\\': result.add "\\\\" + of '_': result.add "\\_" + of Letters+Digits: result.add c + else: result.add "\\" & $ord(c) add(result, '\'') proc dbFormat(formatstr: SqlQuery, args: varargs[string]): string = |