Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add support for automatic quoting of identifiers in DBI.
Table and column names have not traditionally quoted in Vend::Table::DBI
routines.  This can (and has) led to issues such as clashing with db reserved
words and possible SQL injection issues.  This patch adds optional support to
allow all SQL queries that are generated by Interchange to have all the
identifiers quoted.

To enable this feature just add the following configuration directive to
catalog.cfg:

    DatabaseDefault QUOTE_IDENTIFIERS 1

The above must be set before any Database or DatabaseAuto directives for it to
work properly.  You can also set this individually for each table:

    Database foo QUOTE_IDENTIFIERS 1

Also, if you want this to apply to all catalogs under a particular server instance, you can add this setting to catalog_before.cfg.

As an example of how db queries are affected by this setting for a MySQL db with
the Interchange tag [field price 12345] Interchange will send something like the
following without and with QUOTE_IDENTIFIERS set for the products table:

    Without: SELECT price FROM products WHERE sku='12345'
    With: SELECT `price` FROM `products` WHERE `sku`='12345'
  • Loading branch information
pajamian committed Mar 13, 2015
1 parent 6c5933f commit de7af78
Showing 1 changed file with 199 additions and 81 deletions.

0 comments on commit de7af78

Please sign in to comment.