Commit cc7987d9 authored by Guilherme Blanco's avatar Guilherme Blanco Committed by Benjamin Eberlei

Fixed DBAL-164. Quoting identifier was SQL Injection prone.

parent 03ea4779
......@@ -83,7 +83,7 @@ class OCI8Connection implements \Doctrine\DBAL\Driver\Connection
*/
public function quote($input, $type=\PDO::PARAM_STR)
{
return is_numeric($input) ? $input : "'$input'";
return is_numeric($input) ? $input : "'" . str_replace("'", "''", $input) . "'";
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment