Refactoring DBMS string escaping functions

2025-12-06 12:41:30 +00:00 · 2013-01-20 13:45:58 +01:00
parent 3b57fe2924
commit b4a55a809e
12 changed files with 52 additions and 206 deletions
--- a/plugins/dbms/mysql/syntax.py
+++ b/plugins/dbms/mysql/syntax.py
@@ -6,10 +6,8 @@ See the file 'doc/COPYING' for copying permission
 """

 import binascii
-import re

 from lib.core.convert import utf8encode
-from lib.core.exception import SqlmapSyntaxException
 from plugins.generic.syntax import Syntax as GenericSyntax

 class Syntax(GenericSyntax):
@@ -18,14 +16,12 @@ class Syntax(GenericSyntax):

    @staticmethod
    def escape(expression, quote=True):
-        if quote:
-            unescaped = expression
-            for item in re.findall(r"'[^']+'", expression, re.S):
-                try:
-                    unescaped = unescaped.replace(item, "0x%s" % binascii.hexlify(item.strip("'")))
-                except UnicodeEncodeError:
-                    unescaped = unescaped.replace(item, "CONVERT(0x%s USING utf8)" % "".join("%.2x" % ord(_) for _ in utf8encode(item.strip("'"))))
-        else:
-            unescaped = "0x%s" % binascii.hexlify(expression)
+        def escaper(value):
+            retVal = None
+            try:
+                retVal = "0x%s" % binascii.hexlify(value.strip("'"))
+            except UnicodeEncodeError:
+                retVal = "CONVERT(0x%s USING utf8)" % "".join("%.2x" % ord(_) for _ in utf8encode(value.strip("'")))
+            return retVal

-        return unescaped
+        return Syntax._escape(expression, quote, escaper)