Fixed DBAL-164. Quoting identifier was SQL Injection prone.

82cc9214 · Guilherme Blanco · 3d82e0de · 82cc9214
Commit 82cc9214 authored Sep 13, 2011 by Guilherme Blanco
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

OCI8Connection.php lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php +1 -1

No files found.
--- a/lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php
+++ b/lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php
@@ -83,7 +83,7 @@ class OCI8Connection implements \Doctrine\DBAL\Driver\Connection
     */
    public function quote($input, $type=\PDO::PARAM_STR)
    {
-        return is_numeric($input) ? $input : "'$input'";
+        return is_numeric($input) ? $input : "'" . str_replace("'", "''", $input) . "'";
    }

    /**