sqlmap/plugins/dbms/sqlite/syntax.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import binascii

from lib.core.common import isDBMSVersionAtLeast
from lib.core.convert import getBytes
from lib.core.convert import getUnicode
from plugins.generic.syntax import Syntax as GenericSyntax

class Syntax(GenericSyntax):
    @staticmethod
    def escape(expression, quote=True):
        """
        >>> from lib.core.common import Backend
        >>> Backend.setVersion('2')
        ['2']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT 'abcdefgh' FROM foobar"
        True
        >>> Backend.setVersion('3')
        ['3']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
        True
        """

        def escaper(value):
            # Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
            return "CAST(X'%s' AS TEXT)" % getUnicode(binascii.hexlify(getBytes(value)))

        retVal = expression

        if isDBMSVersionAtLeast('3'):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
Last preparations for DREI 2019-05-08 13:47:52 +03:00			`#!/usr/bin/env python`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
			`"""`
Copyright year bump 2020-01-01 15:25:15 +03:00			`Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 15:50:46 +03:00			`See the file 'LICENSE' for copying permission`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`"""`

Fix for an Issue #110 2012-07-21 11:15:54 +04:00			`import binascii`

another update 2010-12-10 13:56:55 +03:00			`from lib.core.common import isDBMSVersionAtLeast`
Stabilizing DREI 2019-05-03 14:20:15 +03:00			`from lib.core.convert import getBytes`
Fixes #3622 2019-05-06 01:54:21 +03:00			`from lib.core.convert import getUnicode`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`from plugins.generic.syntax import Syntax as GenericSyntax`

			`class Syntax(GenericSyntax):`
			`@staticmethod`
Unescaping is renamed to escaping 2013-01-18 18:40:37 +04:00			`def escape(expression, quote=True):`
Update for an Issue #352 2013-03-11 17:58:05 +04:00			`"""`
Some refactoring 2016-12-20 01:47:39 +03:00			`>>> from lib.core.common import Backend`
Update for an Issue #352 2013-03-11 17:58:05 +04:00			`>>> Backend.setVersion('2')`
			`['2']`
Minor drei update 2019-05-02 13:39:16 +03:00			`>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT 'abcdefgh' FROM foobar"`
			`True`
Update for an Issue #352 2013-03-11 17:58:05 +04:00			`>>> Backend.setVersion('3')`
			`['3']`
Minor drei update 2019-05-02 13:39:16 +03:00			`>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"`
			`True`
Update for an Issue #352 2013-03-11 17:58:05 +04:00			`"""`

Refactoring DBMS string escaping functions 2013-01-20 16:45:58 +04:00			`def escaper(value):`
Adding a comment 2013-02-25 17:07:20 +04:00			`# Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3`
Minor drei update 2019-05-02 13:39:16 +03:00			`return "CAST(X'%s' AS TEXT)" % getUnicode(binascii.hexlify(getBytes(value)))`
Fix for an Issue #110 2012-07-21 11:15:54 +04:00
Patch for an Issue #362 (more work required) 2013-01-21 01:16:34 +04:00			`retVal = expression`

			`if isDBMSVersionAtLeast('3'):`
			`retVal = Syntax._escape(expression, quote, escaper)`

Another update for an Issue #362 2013-01-21 01:47:26 +04:00			`return retVal`