Add isSqlSafe filters

mythz · mythz · commit 0a7c8f0b4a5d · 2018-08-21T17:24:42.000-04:00
diff --git a/src/ServiceStack.OrmLite/OrmLiteUtils.cs b/src/ServiceStack.OrmLite/OrmLiteUtils.cs
@@ -465,22 +465,30 @@ public static string SqlValue(this object value)
 
         public static Func<string,string> SqlVerifyFragmentFn { get; set; }
 
-        public static string SqlVerifyFragment(this string sqlFragment)
+        public static bool IsSqlSafe(string sql)
         {
-            if (sqlFragment == null)
-                return null;
+            if (sql == null)
+                return true;
 
             if (SqlVerifyFragmentFn != null)
-                return SqlVerifyFragmentFn(sqlFragment);
+            {
+                SqlVerifyFragmentFn(sql);
+                return true;
+            }
 
-            var fragmentToVerify = sqlFragment
+            var fragmentToVerify = sql
                 .StripQuotedStrings('\'')
                 .StripQuotedStrings('"')
                 .StripQuotedStrings('`')
                 .ToLower();
 
             var match = VerifyFragmentRegEx.Match(fragmentToVerify);
-            if (match.Success)
+            return !match.Success;
+        }
+
+        public static string SqlVerifyFragment(this string sqlFragment)
+        {
+            if (!IsSqlSafe(sqlFragment))
                 throw new ArgumentException("Potential illegal fragment detected: " + sqlFragment);
 
             return sqlFragment;
diff --git a/src/ServiceStack.OrmLite/TemplateDbFilters.cs b/src/ServiceStack.OrmLite/TemplateDbFilters.cs
@@ -84,6 +84,8 @@ public int dbExec(TemplateScopeContext scope, string sql, Dictionary<string, obj
         public string sqlTake(int? limit) => padCondition(OrmLiteConfig.DialectProvider.SqlLimit(null, limit));
         public string ormliteVar(string name) => OrmLiteConfig.DialectProvider.Variables.TryGetValue(name, out var value) ? value : null;
 
+        public bool isSqlSafe(string sql) => OrmLiteUtils.IsSqlSafe(sql);
+
         private string padCondition(string text) => string.IsNullOrEmpty(text) ? "" : " " + text;
     }
 }
diff --git a/src/ServiceStack.OrmLite/TemplateDbFiltersAsync.cs b/src/ServiceStack.OrmLite/TemplateDbFiltersAsync.cs
@@ -86,6 +86,8 @@ public Task<object> dbExec(TemplateScopeContext scope, string sql, Dictionary<st
         public string sqlTake(int? limit) => padCondition(OrmLiteConfig.DialectProvider.SqlLimit(null, limit));
         public string ormliteVar(string name) => OrmLiteConfig.DialectProvider.Variables.TryGetValue(name, out var value) ? value : null;
 
+        public bool isSqlSafe(string sql) => OrmLiteUtils.IsSqlSafe(sql);
+
         private string padCondition(string text) => string.IsNullOrEmpty(text) ? "" : " " + text;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,8 @@ public int dbExec(TemplateScopeContext scope, string sql, Dictionary<string, obj`
`84`	`84`	`public string sqlTake(int? limit) => padCondition(OrmLiteConfig.DialectProvider.SqlLimit(null, limit));`
`85`	`85`	`public string ormliteVar(string name) => OrmLiteConfig.DialectProvider.Variables.TryGetValue(name, out var value) ? value : null;`
`86`	`86`
	`87`	`+ public bool isSqlSafe(string sql) => OrmLiteUtils.IsSqlSafe(sql);`
	`88`	`+`
`87`	`89`	`private string padCondition(string text) => string.IsNullOrEmpty(text) ? "" : " " + text;`
`88`	`90`	`}`
`89`	`91`	`}`
Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,8 @@ public Task<object> dbExec(TemplateScopeContext scope, string sql, Dictionary<st`
`86`	`86`	`public string sqlTake(int? limit) => padCondition(OrmLiteConfig.DialectProvider.SqlLimit(null, limit));`
`87`	`87`	`public string ormliteVar(string name) => OrmLiteConfig.DialectProvider.Variables.TryGetValue(name, out var value) ? value : null;`
`88`	`88`
	`89`	`+ public bool isSqlSafe(string sql) => OrmLiteUtils.IsSqlSafe(sql);`
	`90`	`+`
`89`	`91`	`private string padCondition(string text) => string.IsNullOrEmpty(text) ? "" : " " + text;`
`90`	`92`	`}`
`91`	`93`	`}`