Hi all,
today we got an error by using the APR DBD oracle driver with a string
containing a single quote. Attached is a patch which implements a simple
quoting mechanism for the oracle driver. It does not make use of oracle
special quoting mechanism as introduced in 10g q'<string>' but it
escapes any single quote with an additional single quote.
Regards,
Stefan
--
Stefan Ruppert <[email protected]>
MyARM GmbH, Altkönigstr. 7, 65830 Kriftel, Germany
Phone: +49 6192/9772818
Web: http://www.myarm.com
--- apr_dbd_oracle-old.c 2011-09-07 10:59:37.000000000 +0200
+++ apr_dbd_oracle.c 2011-09-07 10:49:00.000000000 +0200
@@ -863,7 +863,30 @@
static const char *dbd_oracle_escape(apr_pool_t *pool, const char *arg,
apr_dbd_t *sql)
{
- return arg; /* OCI has no concept of string escape */
+ /* we need to quote the string if there is a single quote in the string.*/
+ if(strchr(arg, '\'') == 0) {
+ return arg;
+ } else {
+ size_t len = strlen(arg);
+ const char *cptr = arg;
+ char *ret;
+ char *ptr;
+ /* count single quotes */
+ while(*cptr != '\0') {
+ if(*cptr++ == '\'')
+ ++len;
+ }
+ ret = ptr = apr_palloc(pool, len + 1);
+ /* copy string and adding an additional quote for each single quote */
+ while(*arg != '\0') {
+ if(*arg == '\'') {
+ *ptr++ = '\'';
+ }
+ *ptr++ = *arg++;
+ }
+ *ptr = '\0';
+ return ret;
+ }
}
static int dbd_oracle_prepare(apr_pool_t *pool, apr_dbd_t *sql,
