Escape backslash (\) in SQL Strings as they can break queries unescaped.

2011-05-06 19:59:37 +01:00 · 2011-05-06 19:59:37 +01:00 · a9e1cf3f51
commit a9e1cf3f51
parent e246589cdf
1 changed files with 6 additions and 3 deletions
--- a/src/main/java/helma/objectmodel/db/DbMapping.java
+++ b/src/main/java/helma/objectmodel/db/DbMapping.java
@ -1580,7 +1580,7 @@ public final class DbMapping {
        String str = value == null ? null : value.toString();        
        if (str == null) {
            return null;
-        } else if (str.indexOf("'") < 0) {
+        } else if (str.indexOf('\'') < 0 && str.indexOf('\\') < 0) {
            return str;
        }

@ -1591,9 +1591,12 @@ public final class DbMapping {
            char c = str.charAt(i);

            if (c == '\'') {
-                sbuf.append('\'');
+                sbuf.append("\\'");
+            } else if (c == '\\') {
+                sbuf.append("\\\\");
+            } else {
+            	sbuf.append(c);
            }
-            sbuf.append(c);
        }
        return sbuf.toString();
    }