Minor patch
Some checks are pending
/ build (macos-latest, 3.8) (push) Waiting to run
/ build (ubuntu-latest, pypy-2.7) (push) Waiting to run
/ build (windows-latest, 3.14) (push) Waiting to run

This commit is contained in:
Miroslav Štampar 2026-07-08 02:09:35 +02:00
parent f65dc92b1e
commit 89ddc5a592
3 changed files with 14 additions and 9 deletions

View file

@ -16,6 +16,8 @@ class Syntax(GenericSyntax):
True
>>> Syntax.escape(u"SELECT 'abcd\xebfgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||NCHR(235)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
True
>>> Syntax.escape("SELECT 'a''b' FROM DUAL") == "SELECT CHR(97)||CHR(39)||CHR(98) FROM DUAL"
True
"""
def escaper(value):

View file

@ -26,18 +26,21 @@ class Syntax(object):
retVal = expression
if quote:
for item in re.findall(r"'[^']*'+", expression):
original = item[1:-1]
if original:
# Match a full SQL string literal, honouring the '' (doubled single quote) escape - e.g.
# 'a''b' is ONE literal whose value is a'b, not 'a'' followed by a dangling b'. The old
# r"'[^']*'+" split on the inner '' and left the tail bare, corrupting the encoded payload.
for item in re.findall(r"'(?:[^']|'')*'", expression):
value = item[1:-1].replace("''", "'") # inner content with '' collapsed to the real quote
if value:
if Backend.isDbms(DBMS.SQLITE) and "X%s" % item in expression:
continue
if re.search(r"\[(SLEEPTIME|RAND)", original) is None: # e.g. '[SLEEPTIME]' marker
replacement = escaper(original) if not conf.noEscape else original
if re.search(r"\[(SLEEPTIME|RAND)", value) is None: # e.g. '[SLEEPTIME]' marker
replacement = escaper(value) if not conf.noEscape else value
if replacement != original:
if replacement != value:
retVal = retVal.replace(item, replacement)
elif len(original) != len(getBytes(original)) and "n'%s'" % original not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):
retVal = retVal.replace("'%s'" % original, "n'%s'" % original)
elif len(value) != len(getBytes(value)) and "n%s" % item not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):
retVal = retVal.replace(item, "n%s" % item)
else:
retVal = escaper(expression)