34 lines
1.0 KiB
Plaintext
34 lines
1.0 KiB
Plaintext
note
|
|
description: "Help to encode sql queries, to prevent sql injections."
|
|
date: "$Date: 2014-08-20 15:21:15 -0300 (mi., 20 ago. 2014) $"
|
|
revision: "$Revision: 95678 $"
|
|
EIS: "SQL server injection", "src=http://blogs.msdn.com/b/raulga/archive/2007/01/04/dynamic-sql-sql-injection.aspx", "protocol=url"
|
|
expanded class
|
|
DATABASE_SQL_SERVER_ENCODER
|
|
|
|
inherit
|
|
|
|
SHARED_LOGGER
|
|
|
|
feature -- Escape SQL input
|
|
|
|
encode (a_string:READABLE_STRING_32): READABLE_STRING_32
|
|
-- Escape single quote (') and braces ([,]).
|
|
local
|
|
l_string: STRING
|
|
do
|
|
l_string := a_string.twin
|
|
if not l_string.is_empty then
|
|
l_string.replace_substring_all ("[", "[[")
|
|
l_string.replace_substring_all ("]", "]]")
|
|
if l_string.index_of ('%'', 1) > 0 then
|
|
l_string.replace_substring ("[", 1, l_string.index_of ('%'', 1))
|
|
end
|
|
if l_string.last_index_of ('%'', l_string.count) > 0 then
|
|
l_string.replace_substring ("]", l_string.last_index_of ('%'', l_string.count), l_string.count)
|
|
end
|
|
end
|
|
Result := l_string
|
|
end
|
|
end
|