Better yet for #4633

2025-12-06 20:51:31 +00:00 · 2021-04-09 11:43:01 +02:00
parent 732b9670d2
commit 387020ece8
2 changed files with 5 additions and 22 deletions
--- a/plugins/dbms/sqlite/syntax.py
+++ b/plugins/dbms/sqlite/syntax.py
@@ -5,35 +5,18 @@ Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
 See the file 'LICENSE' for copying permission
 """

-import binascii
-
-from lib.core.common import isDBMSVersionAtLeast
-from lib.core.convert import getBytes
-from lib.core.convert import getUnicode
+from lib.core.convert import getOrds
 from plugins.generic.syntax import Syntax as GenericSyntax

 class Syntax(GenericSyntax):
    @staticmethod
    def escape(expression, quote=True):
        """
-        >>> from lib.core.common import Backend
-        >>> Backend.setVersion('2')
-        ['2']
-        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT 'abcdefgh' FROM foobar"
-        True
-        >>> Backend.setVersion('3')
-        ['3']
-        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
+        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHAR(97,98,99,100,101,102,103,104) FROM foobar"
        True
        """

        def escaper(value):
-            # Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
-            return "CAST(X'%s' AS TEXT)" % getUnicode(binascii.hexlify(getBytes(value)))
+            return "CHAR(%s)" % ','.join("%d" % _ for _ in getOrds(value))

-        retVal = expression
-
-        if isDBMSVersionAtLeast('3'):
-            retVal = Syntax._escape(expression, quote, escaper)
-
-        return retVal
+        return Syntax._escape(expression, quote, escaper)