PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-06 20:51:31 +00:00
Code Issues Projects Releases Wiki Activity

Refactoring DBMS string escaping functions

Browse Source
This commit is contained in:
Miroslav Stampar
2013-01-20 13:45:58 +01:00
parent 3b57fe2924
commit b4a55a809e
12 changed files with 52 additions and 206 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
plugins/dbms/oracle/syntax.py
View File

@@ -5,7 +5,6 @@ Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.exception import SqlmapSyntaxException
from plugins.generic.syntax import Syntax as GenericSyntax
class Syntax(GenericSyntax):
@@ -14,24 +13,7 @@ class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
if quote:
while True:
index = expression.find("'")
if index == -1:
break
def escaper(value):
return "||".join("%s(%d)" % ("CHR" if ord(value[i]) < 256 else "NCHR", ord(value[i])) for i in xrange(len(value)))
firstIndex = index + 1
index = expression[firstIndex:].find("'")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ' in '%s'" % expression)
lastIndex = firstIndex + index
old = "'%s'" % expression[firstIndex:lastIndex]
unescaped = "||".join("%s(%d)" % ("CHR" if ord(expression[i]) < 256 else "NCHR", ord(expression[i])) for i in xrange(firstIndex, lastIndex))
expression = expression.replace(old, unescaped)
else:
expression = "||".join("CHR(%d)" % ord(c) for c in expression)
return expression
return Syntax._escape(expression, quote, escaper)