Fix bug on insert where #1436
|
|
@ -908,6 +908,15 @@ func TestInsertWhere(t *testing.T) {
|
|||
assert.True(t, has)
|
||||
assert.EqualValues(t, "trest3", j3.Name)
|
||||
assert.EqualValues(t, 3, j3.Index)
|
||||
|
||||
inserted, err = testEngine.Table(new(InsertWhere)).Where("repo_id=?", 1).
|
||||
SetExpr("`index`", "coalesce(MAX(`index`),0)+1").
|
||||
Insert(map[string]interface{}{
|
||||
"repo_id": 1,
|
||||
"name": "10';delete * from insert_where; --",
|
||||
})
|
||||
assert.NoError(t, err)
|
||||
assert.EqualValues(t, 1, inserted)
|
||||
}
|
||||
|
||||
type NightlyRate struct {
|
||||
|
|
|
|||
|
|
@ -6,17 +6,60 @@ package xorm
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"reflect"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"xorm.io/builder"
|
||||
"xorm.io/core"
|
||||
)
|
||||
|
||||
func quoteNeeded(a interface{}) bool {
|
||||
switch a.(type) {
|
||||
case int, int8, int16, int32, int64:
|
||||
return false
|
||||
case uint, uint8, uint16, uint32, uint64:
|
||||
return false
|
||||
case float32, float64:
|
||||
return false
|
||||
case bool:
|
||||
return false
|
||||
case string:
|
||||
return true
|
||||
case time.Time, *time.Time:
|
||||
return true
|
||||
case builder.Builder, *builder.Builder:
|
||||
return false
|
||||
}
|
||||
|
||||
t := reflect.TypeOf(a)
|
||||
switch t.Kind() {
|
||||
case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
|
||||
return false
|
||||
case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
|
||||
return false
|
||||
case reflect.Float32, reflect.Float64:
|
||||
return false
|
||||
case reflect.Bool:
|
||||
return false
|
||||
case reflect.String:
|
||||
return true
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func convertArg(arg interface{}) string {
|
||||
if quoteNeeded(arg) {
|
||||
argv := fmt.Sprintf("%v", arg)
|
||||
return "'" + strings.Replace(argv, "'", "''", -1) + "'"
|
||||
}
|
||||
|
||||
return fmt.Sprintf("%v", arg)
|
||||
}
|
||||
|
||||
func (statement *Statement) writeArg(w *builder.BytesWriter, arg interface{}) error {
|
||||
switch argv := arg.(type) {
|
||||
case string:
|
||||
if _, err := w.WriteString("'" + argv + "'"); err != nil {
|
||||
return err
|
||||
}
|
||||
case bool:
|
||||
if statement.Engine.dialect.DBType() == core.MSSQL {
|
||||
if argv {
|
||||
|
|
@ -50,7 +93,7 @@ func (statement *Statement) writeArg(w *builder.BytesWriter, arg interface{}) er
|
|||
return err
|
||||
}
|
||||
default:
|
||||
if _, err := w.WriteString(fmt.Sprintf("%v", argv)); err != nil {
|
||||
if _, err := w.WriteString(convertArg(arg)); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user