Commit 64b8d77e authored by Benjamin Eberlei's avatar Benjamin Eberlei

Enhance OCI quoting by using the Zend Framework OCI code for quoting

parent a2346441
......@@ -81,9 +81,13 @@ class OCI8Connection implements \Doctrine\DBAL\Driver\Connection
* @param int $type PDO::PARAM*
* @return mixed
*/
public function quote($input, $type=\PDO::PARAM_STR)
public function quote($value, $type=\PDO::PARAM_STR)
{
return is_numeric($input) ? $input : "'" . str_replace("'", "''", $input) . "'";
if (is_int($value) || is_float($value)) {
return $value;
}
$value = str_replace("'", "''", $value);
return "'" . addcslashes($value, "\000\n\r\\\032") . "'";
}
/**
......
......@@ -269,4 +269,12 @@ class DataAccessTest extends \Doctrine\Tests\DbalFunctionalTestCase
$this->assertEquals('2010-03-01', date('Y-m-d', strtotime($row['add_month'])), "Adding month should end up on 2010-03-01");
$this->assertEquals('2009-11-01', date('Y-m-d', strtotime($row['sub_month'])), "Adding month should end up on 2009-11-01");
}
public function testQuoteSQLInjection()
{
$sql = "SELECT * FROM fetch_table WHERE test_string = " . $this->_conn->quote("bar' OR '1'='1");
$rows = $this->_conn->fetchAll($sql);
$this->assertEquals(0, count($rows), "no result should be returned, otherwise SQL injection is possible");
}
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment