Class: String

Inherits:

Object

• Object
• String

Defined in:

lib/ronin/formatting/extensions/sql/string.rb

Overview

Ronin SQL - A Ruby DSL for crafting SQL Injections.

Copyright (c) 2007-2013 Hal Brodigan (postmodern.mod3 at gmail.com)

This file is part of Ronin SQL.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

Instance Method Summary

• #sql_decode ⇒ Object

  Returns the SQL decoded form of the String.

• #sql_encode ⇒ Object

  Returns the SQL hex-string encoded form of the String.

• #sql_escape(quotes = :single) ⇒ String

  Escapes an String for SQL.

• #sql_unescape ⇒ String

  Unescapes a SQL String.

Instance Method Details

#sql_decode ⇒ Object

Returns the SQL decoded form of the String.

Examples:

"'Conan O''Brian'".sql_decode
# => "Conan O'Brian"

"2f6574632f706173737764".sql_decode
# => "/etc/passwd"

Raises:

• The String is neither hex encoded or SQL escaped.

See Also:

• #sql_unescape

# File 'lib/ronin/formatting/extensions/sql/string.rb', line 126

def sql_decode
  if (self =~ /^[0-9a-fA-F]{2,}$/ && (length % 2 == 0))
    raw = ''

    scan(/../) do |hex_char|
      raw << hex_char.to_i(16)
    end

    return raw
  else
    sql_unescape
  end
end

#sql_encode ⇒ Object

Returns the SQL hex-string encoded form of the String.

Examples:

"/etc/passwd".sql_encode
# => "0x2f6574632f706173737764"

# File 'lib/ronin/formatting/extensions/sql/string.rb', line 96

def sql_encode
  return '' if empty?

  hex_string = '0x'

  each_byte do |b|
    hex_string << ('%.2x' % b)
  end

  return hex_string
end

#sql_escape(quotes = :single) ⇒ String

Escapes an String for SQL.

Examples:

"O'Brian".sql_escape
# => "'O''Brian'"

Encode with double-quotes:

"O'Brian".sql_escape(:double)
# => "\"O'Brian\""

Parameters:

• quotes (:single, :double, :tick) (defaults to: :single) —

  (:single) Specifies whether to create a single or double quoted string.

Returns:

• (String) —

  The escaped String.

Raises:

• (TypeError) —

  The quotes argument was neither :single, :double nor :tick.

# File 'lib/ronin/formatting/extensions/sql/string.rb', line 47

def sql_escape(quotes=:single)
  char = case quotes
         when :single then "'"
         when :double then '"'
         when :tick   then '`'
         else
           raise(ArgumentError,"invalid quoting style #{quotes.inspect}")
         end

  return char + gsub(char,char * 2) + char
end

#sql_unescape ⇒ String

Unescapes a SQL String.

Examples:

"'O''Brian'".sql_unescape
# => "O'Brian"

Returns:

• (String) —

  The unescaped String.

Raises:

• The String was not quoted with single, double or tick-mark quotes.

Since:

• 1.0.0

# File 'lib/ronin/formatting/extensions/sql/string.rb', line 76

def sql_unescape
  char = if    (self[0] == "'" && self[-1] == "'") then "'"
         elsif (self[0] == '"' && self[-1] == '"') then '"'
         elsif (self[0] == '`' && self[-1] == '`') then '`'
         else
           raise(TypeError,"#{self.inspect} is not properly quoted")
         end

  return self[1..-2].gsub(char * 2,char)
end