11 yıl önce · 916a1f2433
--- a/connection.go
+++ b/connection.go
@@ -167,16 +167,13 @@ func (mc *mysqlConn) Prepare(query string) (driver.Stmt, error) {
 
				 
			
 
				 // https://github.com/mysql/mysql-server/blob/mysql-5.7.5/libmysql/libmysql.c#L1150-L1156
			
 
				 func (mc *mysqlConn) escapeBytes(buf, v []byte) []byte {
			
 
				-	var escape func([]byte, []byte) []byte
			
 
				+	buf = append(buf, '\'')
			
 
				 	if mc.status&statusNoBackslashEscapes == 0 {
			
 
				-		escape = escapeString
			
 
				+		buf = escapeBackslash(buf, v)
			
 
				 	} else {
			
 
				-		escape = escapeQuotes
			
 
				+		buf = escapeQuotes(buf, v)
			
 
				 	}
			
 
				-	buf = append(buf, '\'')
			
 
				-	buf = escape(buf, v)
			
 
				-	buf = append(buf, '\'')
			
 
				-	return buf
			
 
				+	return append(buf, '\'')
			
 
				 }
			
 
				 
			
 
				 // estimateParamLength calculates upper bound of string length from types.
			
--- a/driver_test.go
+++ b/driver_test.go
@@ -1556,7 +1556,7 @@ func TestSqlInjection(t *testing.T) {
 
				 
			
 
				 			var v int
			
 
				 			// NULL can't be equal to anything, the idea here is to inject query so it returns row
			
 
				-			// This test verifies that EscapeQuotes and EscapeStrings are working properly
			
 
				+			// This test verifies that escapeQuotes and escapeBackslash are working properly
			
 
				 			err := dbt.db.QueryRow("SELECT v FROM test WHERE NULL = ?", arg).Scan(&v)
			
 
				 			if err == sql.ErrNoRows {
			
 
				 				return // success, sql injection failed
			
@@ -1583,7 +1583,7 @@ func TestInsertRetrieveEscapedData(t *testing.T) {
 
				 	testData := func(dbt *DBTest) {
			
 
				 		dbt.mustExec("CREATE TABLE test (v VARCHAR(255))")
			
 
				 
			
 
				-		// All sequences that are escaped by EscapeQuotes and EscapeString
			
 
				+		// All sequences that are escaped by escapeQuotes and escapeBackslash
			
 
				 		v := "foo \x00\n\r\x1a\"'\\"
			
 
				 		dbt.mustExec("INSERT INTO test VALUES (?)", v)
			
 
				 
			
--- a/utils.go
+++ b/utils.go
@@ -812,7 +812,7 @@ func appendLengthEncodedInteger(b []byte, n uint64) []byte {
 
				 // characters, and turning others into specific escape sequences, such as
			
 
				 // turning newlines into \n and null bytes into \0.
			
 
				 // https://github.com/mysql/mysql-server/blob/mysql-5.7.5/mysys/charset.c#L823-L932
			
 
				-func escapeString(buf, v []byte) []byte {
			
 
				+func escapeBackslash(buf, v []byte) []byte {
			
 
				 	pos := len(buf)
			
 
				 	end := pos + len(v)*2
			
 
				 	if cap(buf) < end {
			
--- a/utils_test.go
+++ b/utils_test.go
@@ -253,9 +253,9 @@ func TestFormatBinaryDateTime(t *testing.T) {
 
				 	expect("1978-12-30 15:46:23.987654", 11, 26)
			
 
				 }
			
 
				 
			
 
				-func TestEscapeString(t *testing.T) {
			
 
				+func TestEscapeBackslash(t *testing.T) {
			
 
				 	expect := func(expected, value string) {
			
 
				-		actual := string(escapeString([]byte{}, []byte(value)))
			
 
				+		actual := string(escapeBackslash([]byte{}, []byte(value)))
			
 
				 		if actual != expected {
			
 
				 			t.Errorf(
			
 
				 				"expected %s, got %s",