sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-11-04 18:07:46 +03:00
Code Issues Packages Projects Releases Wiki Activity

replacing identifier safe char " with [] enclosing for MsSQL

Browse Source
This commit is contained in:
Miroslav Stampar 2012-06-13 15:27:42 +00:00
parent 367de838c1
commit a51d8c4c79
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/core/common.py
View File

@ -2733,11 +2733,13 @@ def safeSQLIdentificatorNaming(name, isTable=False):
parts = name.split('.') parts = name.split('.')
for i in xrange(len(parts)): for i in xrange(len(parts)):
if not re.match(r"\A[A-Za-z0-9_]+\Z", parts[i]): if not re.match(r"\A[A-Za-z0-9_@\$]+\Z", parts[i]): # reference: http://stackoverflow.com/questions/954884/what-special-characters-are-allowed-in-t-sql-column-name
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
parts[i] = "`%s`" % parts[i].strip("`") parts[i] = "`%s`" % parts[i].strip("`")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.PGSQL, DBMS.DB2): elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.PGSQL, DBMS.DB2):
parts[i] = "\"%s\"" % parts[i].strip("\"") parts[i] = "\"%s\"" % parts[i].strip("\"")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL,):
parts[i] = "[%s]" % parts[i].strip("[]")
retVal = ".".join(parts) retVal = ".".join(parts)
@ -2753,8 +2755,11 @@ def unsafeSQLIdentificatorNaming(name):
if isinstance(name, basestring): if isinstance(name, basestring):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
retVal = name.replace("`", "") retVal = name.replace("`", "")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.PGSQL, DBMS.DB2): elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.PGSQL, DBMS.DB2):
retVal = name.replace("\"", "") retVal = name.replace("\"", "")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL,):
retVal = name.replace("[", "").replace("]", "")
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE): if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
prefix = "%s." % DEFAULT_MSSQL_SCHEMA prefix = "%s." % DEFAULT_MSSQL_SCHEMA
if retVal.startswith(prefix): if retVal.startswith(prefix):