Fix #15219 SQL escape in db_mysql is not enough (#15234)

2026-04-19 14:00:35 +00:00 · 2020-09-04 17:04:27 +08:00
parent 77df02313d
commit c16ee37a71
1 changed files with 17 additions and 3 deletions
--- a/lib/impure/db_mysql.nim
+++ b/lib/impure/db_mysql.nim
@@ -118,10 +118,24 @@ when false:

 proc dbQuote*(s: string): string =
  ## DB quotes the string.
-  result = "'"
+  result = newStringOfCap(s.len + 2)
+  result.add "'"
  for c in items(s):
-    if c == '\'': add(result, "''")
-    else: add(result, c)
+    # see https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html#mysql-escaping
+    case c
+    of '\0': result.add "\\0"
+    of '\b': result.add "\\b"
+    of '\t': result.add "\\t"
+    of '\l': result.add "\\n"
+    of '\r': result.add "\\r"
+    of '\x1a': result.add "\\Z"
+    of '"': result.add "\\\""
+    of '%': result.add "\\%"
+    of '\'': result.add "\\'"
+    of '\\': result.add "\\\\"
+    of '_': result.add "\\_"
+    of Letters+Digits: result.add c
+    else: result.add "\\" & $ord(c)
  add(result, '\'')

 proc dbFormat(formatstr: SqlQuery, args: varargs[string]): string =