Class: String

Inherits:
Object
  • Object
show all
Defined in:
lib/ronin/formatting/extensions/sql/string.rb

Overview

Ronin SQL - A Ruby DSL for crafting SQL Injections.

Copyright (c) 2007-2013 Hal Brodigan (postmodern.mod3 at gmail.com)

This file is part of Ronin SQL.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

Instance Method Summary collapse

Instance Method Details

#sql_decodeObject

Returns the SQL decoded form of the String.

Examples:

"'Conan O''Brian'".sql_decode
# => "Conan O'Brian"
"2f6574632f706173737764".sql_decode
# => "/etc/passwd"

Raises:

  • The String is neither hex encoded or SQL escaped.

See Also:



126
127
128
129
130
131
132
133
134
135
136
137
138
# File 'lib/ronin/formatting/extensions/sql/string.rb', line 126

def sql_decode
  if (self =~ /^[0-9a-fA-F]{2,}$/ && (length % 2 == 0))
    raw = ''

    scan(/../) do |hex_char|
      raw << hex_char.to_i(16)
    end

    return raw
  else
    sql_unescape
  end
end

#sql_encodeObject

Returns the SQL hex-string encoded form of the String.

Examples:

"/etc/passwd".sql_encode
# => "0x2f6574632f706173737764"


96
97
98
99
100
101
102
103
104
105
106
# File 'lib/ronin/formatting/extensions/sql/string.rb', line 96

def sql_encode
  return '' if empty?

  hex_string = '0x'

  each_byte do |b|
    hex_string << ('%.2x' % b)
  end

  return hex_string
end

#sql_escape(quotes = :single) ⇒ String

Escapes an String for SQL.

Examples:

"O'Brian".sql_escape
# => "'O''Brian'"

Encode with double-quotes:

"O'Brian".sql_escape(:double)
# => "\"O'Brian\""

Parameters:

  • quotes (:single, :double, :tick) (defaults to: :single)

    (:single) Specifies whether to create a single or double quoted string.

Returns:

  • (String)

    The escaped String.

Raises:

  • (TypeError)

    The quotes argument was neither :single, :double nor :tick.



47
48
49
50
51
52
53
54
55
56
57
# File 'lib/ronin/formatting/extensions/sql/string.rb', line 47

def sql_escape(quotes=:single)
  char = case quotes
         when :single then "'"
         when :double then '"'
         when :tick   then '`'
         else
           raise(ArgumentError,"invalid quoting style #{quotes.inspect}")
         end

  return char + gsub(char,char * 2) + char
end

#sql_unescapeString

Unescapes a SQL String.

Examples:

"'O''Brian'".sql_unescape
# => "O'Brian"

Returns:

  • (String)

    The unescaped String.

Raises:

  • The String was not quoted with single, double or tick-mark quotes.

Since:

  • 1.0.0



76
77
78
79
80
81
82
83
84
85
# File 'lib/ronin/formatting/extensions/sql/string.rb', line 76

def sql_unescape
  char = if    (self[0] == "'" && self[-1] == "'") then "'"
         elsif (self[0] == '"' && self[-1] == '"') then '"'
         elsif (self[0] == '`' && self[-1] == '`') then '`'
         else
           raise(TypeError,"#{self.inspect} is not properly quoted")
         end

  return self[1..-2].gsub(char * 2,char)
end