Fixed DBAL-164. Quoting identifier was SQL Injection prone.

cc7987d9 · Guilherme Blanco · Benjamin Eberlei · 03ea4779 · cc7987d9
Commit cc7987d9 authored Sep 13, 2011 by Guilherme Blanco Committed by Benjamin Eberlei Sep 25, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

OCI8Connection.php lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php +1 -1

No files found.
--- a/lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php
+++ b/lib/Doctrine/DBAL/Driver/OCI8/OCI8Connection.php
@@ -83,7 +83,7 @@ class OCI8Connection implements \Doctrine\DBAL\Driver\Connection
     */
    public function quote($input, $type=\PDO::PARAM_STR)
    {
-        return is_numeric($input) ? $input : "'$input'";
+        return is_numeric($input) ? $input : "'" . str_replace("'", "''", $input) . "'";
    }
    /**