class Ronin::SQL::Injection
Represents a SQL
injection (SQLi).
@api public
Constants
- PLACE_HOLDERS
Default place holder values.
Attributes
escape[R]
The type of element to escape out of
expression[R]
The expression that will be injected
Public Class Methods
new(options={},&block)
click to toggle source
Initializes a new SQL
injection.
@param [Hash] options
Additional injection options.
@option options [:integer, :decimal, :string, :column] :escape (:integer)
The type of element to escape out of.
@option options [Boolean] :terminate
Specifies whether to terminate the SQLi with a comment.
@option options [String, Symbol, Integer] :place_holder
Place-holder data.
@yield [(injection)]
If a block is given, it will be evaluated within the injection. If the block accepts an argument, the block will be called with the new injection.
@yieldparam [Injection] injection
The new injection.
Calls superclass method
# File lib/ronin/sql/injection.rb, line 80 def initialize(options={},&block) @escape = options.fetch(:escape,:integer) place_holder = options.fetch(:place_holder) do PLACE_HOLDERS.fetch(@escape) end @expression = InjectionExpr.new(place_holder) super(&block) end
Public Instance Methods
and(&block)
click to toggle source
Appends an ‘AND` expression to the injection.
@yield [(expr)]
The return value of the block will be used as the right-hand side operand. If the block accepts an argument, it will be called with the injection.
@yieldparam [InjectionExpr] expr
@return [self]
# File lib/ronin/sql/injection.rb, line 104 def and(&block) @expression.and(&block) return self end
or(&block)
click to toggle source
Appends an ‘OR` expression to the injection.
@yield [(expr)]
The return value of the block will be used as the right-hand side operand. If the block accepts an argument, it will be called with the injection expression.
@yieldparam [InjectionExp] expr
@return [self]
# File lib/ronin/sql/injection.rb, line 121 def or(&block) @expression.or(&block) return self end
to_sql(options={})
click to toggle source
Converts the SQL
injection to SQL
.
@param [Hash] options
Additional options for {Emitter#initialize}.
@option options [Boolean] :terminate
Specifies whether to terminate the injection with `;--`.
@return [String]
The raw SQL.
# File lib/ronin/sql/injection.rb, line 138 def to_sql(options={}) emitter = emitter(options) sql = @expression.to_sql(options) unless clauses.empty? sql << emitter.space << emitter.emit_clauses(clauses) end unless statements.empty? sql << ';' << emitter.space << emitter.emit_statement_list(self) end case @escape when :string, :list if (options[:terminate] || (sql[0,1] != sql[-1,1])) # terminate the expression sql << ';--' else sql = sql[0..-2] end # balance the quotes sql = sql[1..-1] else if options[:terminate] # terminate the expression sql << ';--' end end return sql end