summaryrefslogtreecommitdiffstats
path: root/vendor/xorm.io/builder/sql.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/xorm.io/builder/sql.go')
-rw-r--r--vendor/xorm.io/builder/sql.go14
1 files changed, 9 insertions, 5 deletions
diff --git a/vendor/xorm.io/builder/sql.go b/vendor/xorm.io/builder/sql.go
index 0834242768..4250fea18d 100644
--- a/vendor/xorm.io/builder/sql.go
+++ b/vendor/xorm.io/builder/sql.go
@@ -8,6 +8,7 @@ import (
sql2 "database/sql"
"fmt"
"reflect"
+ "strings"
"time"
)
@@ -20,7 +21,7 @@ func condToSQL(cond Cond) (string, []interface{}, error) {
if err := cond.WriteTo(w); err != nil {
return "", nil, err
}
- return w.writer.String(), w.args, nil
+ return w.String(), w.args, nil
}
func condToBoundSQL(cond Cond) (string, error) {
@@ -32,7 +33,7 @@ func condToBoundSQL(cond Cond) (string, error) {
if err := cond.WriteTo(w); err != nil {
return "", err
}
- return ConvertToBoundSQL(w.writer.String(), w.args)
+ return ConvertToBoundSQL(w.String(), w.args)
}
// ToSQL convert a builder or conditions to SQL and args
@@ -92,7 +93,7 @@ func noSQLQuoteNeeded(a interface{}) bool {
// ConvertToBoundSQL will convert SQL and args to a bound SQL
func ConvertToBoundSQL(sql string, args []interface{}) (string, error) {
- buf := StringBuilder{}
+ buf := strings.Builder{}
var i, j, start int
for ; i < len(sql); i++ {
if sql[i] == '?' {
@@ -114,7 +115,10 @@ func ConvertToBoundSQL(sql string, args []interface{}) (string, error) {
if noSQLQuoteNeeded(arg) {
_, err = fmt.Fprint(&buf, arg)
} else {
- _, err = fmt.Fprintf(&buf, "'%v'", arg)
+ // replace ' -> '' (standard replacement) to avoid critical SQL injection,
+ // NOTICE: may allow some injection like % (or _) in LIKE query
+ _, err = fmt.Fprintf(&buf, "'%v'", strings.Replace(fmt.Sprintf("%v", arg), "'",
+ "''", -1))
}
if err != nil {
return "", err
@@ -131,7 +135,7 @@ func ConvertToBoundSQL(sql string, args []interface{}) (string, error) {
// ConvertPlaceholder replaces ? to $1, $2 ... or :1, :2 ... according prefix
func ConvertPlaceholder(sql, prefix string) (string, error) {
- buf := StringBuilder{}
+ buf := strings.Builder{}
var i, j, start int
for ; i < len(sql); i++ {
if sql[i] == '?' {
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-26 07:50:04 +0000