From 6fea677ad180adce8e0b430cf52632e92ee5d3ab Mon Sep 17 00:00:00 2001 From: mikl <> Date: Thu, 16 Oct 2008 13:51:11 +0000 Subject: Fixed #882 (Escaping # and $ in SqlMap) --- HISTORY | 1 + UPGRADE | 3 +++ .../Data/SqlMap/Configuration/TSqlMapXmlConfiguration.php | 14 ++++++++++++++ 3 files changed, 18 insertions(+) diff --git a/HISTORY b/HISTORY index b19f50ae..f204464b 100644 --- a/HISTORY +++ b/HISTORY @@ -30,6 +30,7 @@ ENH: Workaround for slow meta data retrieval in MySQL<5.1.21 (Michael) ENH: Ticket#756 - TDateFormat & TNumberFormat - allow settings default text when Value isn't set. (Carl) ENH: Ticket#823 - PromptText/PromptValue only populated if there is data (Knut) ENH: Ticket#876 - Assign empty string to CssUrl on TTabPanel to avoid loading extra css (GoDZilla, Knut) +ENH: Ticket#882 - Allow to escape # and $ in sqlmap (Michael) ENH: Ticket#890 - Minor optimization: Use $var===null over is_null($var) (Knut) ENH: Ticket#893 - Added page parameter to queryForPagedList() to specify the initial page to load (Michael) ENH: Ticket#896 - TTheme - enhance for subclassing (Knut) diff --git a/UPGRADE b/UPGRADE index 55d8e3d5..ecb5225b 100644 --- a/UPGRADE +++ b/UPGRADE @@ -23,6 +23,9 @@ Upgrading from v3.1.2 See http://wiki.moxiecode.com/index.php/TinyMCE:Migration_guide for more information. - If you use EnableStateEncryption, the PageState of your current user sessions will no longer be valid, since we optimized the encryption/compression logic. +- You can now use # and $ characters in your SQL statements with SQLMap by + escaping them as ## and $$. That induces that you can't have consecutive + parameters like #param1##param2# or $param1$$param2$ in your statements anymore. Upgrading from v3.1.1 diff --git a/framework/Data/SqlMap/Configuration/TSqlMapXmlConfiguration.php b/framework/Data/SqlMap/Configuration/TSqlMapXmlConfiguration.php index d0c57d57..470b061b 100644 --- a/framework/Data/SqlMap/Configuration/TSqlMapXmlConfiguration.php +++ b/framework/Data/SqlMap/Configuration/TSqlMapXmlConfiguration.php @@ -309,6 +309,16 @@ class TSqlMapXmlMappingConfiguration extends TSqlMapXmlConfigBuilder private $_FlushOnExecuteStatements=array(); + /** + * Regular expressions for escaping simple/inline parameter symbols + */ + const SIMPLE_MARK='$'; + const INLINE_SYMBOL='#'; + const ESCAPED_SIMPLE_MARK_REGEXP='/\$\$/'; + const ESCAPED_INLINE_SYMBOL_REGEXP='/\#\#/'; + const SIMPLE_PLACEHOLDER='`!!`'; + const INLINE_PLACEHOLDER='`!!!`'; + /** * @param TSqlMapXmlConfiguration parent xml configuration. */ @@ -532,6 +542,7 @@ class TSqlMapXmlMappingConfiguration extends TSqlMapXmlConfigBuilder $scope['file'] = $this->_configFile; $scope['node'] = $node; + $sqlStatement=preg_replace(self::ESCAPED_INLINE_SYMBOL_REGEXP,self::INLINE_PLACEHOLDER,$sqlStatement); if($statement->parameterMap() === null) { // Build a Parametermap with the inline parameters. @@ -548,6 +559,7 @@ class TSqlMapXmlMappingConfiguration extends TSqlMapXmlConfigBuilder } $sqlStatement = $sqlText['sql']; } + $sqlStatement=preg_replace('/'.self::INLINE_PLACEHOLDER.'/',self::INLINE_SYMBOL,$sqlStatement); $this->prepareSql($statement, $sqlStatement, $node); } @@ -562,6 +574,7 @@ class TSqlMapXmlMappingConfiguration extends TSqlMapXmlConfigBuilder protected function prepareSql($statement,$sqlStatement, $node) { $simpleDynamic = new TSimpleDynamicParser; + $sqlStatement=preg_replace(self::ESCAPED_SIMPLE_MARK_REGEXP,self::SIMPLE_PLACEHOLDER,$sqlStatement); $dynamics = $simpleDynamic->parse($sqlStatement); if(count($dynamics['parameters']) > 0) { @@ -570,6 +583,7 @@ class TSqlMapXmlMappingConfiguration extends TSqlMapXmlConfigBuilder } else $sql = new TStaticSql(); + $sqlStatement=preg_replace('/'.self::SIMPLE_PLACEHOLDER.'/',self::SIMPLE_MARK,$sqlStatement); $sql->buildPreparedStatement($statement, $sqlStatement); $statement->setSqlText($sql); } -- cgit v1.2.3