Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 0a8a65b

Browse files
stamparmstamparm
committed
Update regarding #4248 
1 parent 5d370f2 commit 0a8a65b

2 files changed

Lines changed: 20 additions & 19 deletions

File tree

lib/core/common.py

Lines changed: 19 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -4128,24 +4128,25 @@ def safeSQLIdentificatorNaming(name, isTable=False):
41284128

41294129
# Note: SQL 92 has restrictions for identifiers starting with underscore (e.g. http://www.frontbase.com/documentation/FBUsers_4.pdf)
41304130
if retVal.upper() in kb.keywords or (not isTable and (retVal or " ")[0] == '_') or (retVal or " ")[0].isdigit() or not re.match(r"\A[A-Za-z0-9_@%s\$]+\Z" % ('.' if _ else ""), retVal): # MsSQL is the only DBMS where we automatically prepend schema to table name (dot is normal)
4131-
retVal = unsafeSQLIdentificatorNaming(retVal)
4132-
4133-
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS, DBMS.CUBRID, DBMS.SQLITE): # Note: in SQLite double-quotes are treated as string if column/identifier is non-existent (e.g. SELECT "foobar" FROM users)
4134-
retVal = "`%s`" % retVal
4135-
elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.DB2, DBMS.HSQLDB, DBMS.H2, DBMS.INFORMIX, DBMS.MONETDB, DBMS.VERTICA, DBMS.MCKOI, DBMS.PRESTO, DBMS.CRATEDB, DBMS.CACHE, DBMS.EXTREMEDB, DBMS.FRONTBASE):
4136-
retVal = "\"%s\"" % retVal
4137-
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.ALTIBASE, DBMS.MIMERSQL):
4138-
retVal = "\"%s\"" % retVal.upper()
4139-
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
4140-
if isTable:
4141-
parts = retVal.split('.', 1)
4142-
for i in xrange(len(parts)):
4143-
if parts[i] and (re.search(r"\A\d|[^\w]", parts[i], re.U) or parts[i].upper() in kb.keywords):
4144-
parts[i] = "[%s]" % parts[i]
4145-
retVal = '.'.join(parts)
4146-
else:
4147-
if re.search(r"\A\d|[^\w]", retVal, re.U) or retVal.upper() in kb.keywords:
4148-
retVal = "[%s]" % retVal
4131+
if not conf.noEscape:
4132+
retVal = unsafeSQLIdentificatorNaming(retVal)
4133+
4134+
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS, DBMS.CUBRID, DBMS.SQLITE): # Note: in SQLite double-quotes are treated as string if column/identifier is non-existent (e.g. SELECT "foobar" FROM users)
4135+
retVal = "`%s`" % retVal
4136+
elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.DB2, DBMS.HSQLDB, DBMS.H2, DBMS.INFORMIX, DBMS.MONETDB, DBMS.VERTICA, DBMS.MCKOI, DBMS.PRESTO, DBMS.CRATEDB, DBMS.CACHE, DBMS.EXTREMEDB, DBMS.FRONTBASE):
4137+
retVal = "\"%s\"" % retVal
4138+
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.ALTIBASE, DBMS.MIMERSQL):
4139+
retVal = "\"%s\"" % retVal.upper()
4140+
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
4141+
if isTable:
4142+
parts = retVal.split('.', 1)
4143+
for i in xrange(len(parts)):
4144+
if parts[i] and (re.search(r"\A\d|[^\w]", parts[i], re.U) or parts[i].upper() in kb.keywords):
4145+
parts[i] = "[%s]" % parts[i]
4146+
retVal = '.'.join(parts)
4147+
else:
4148+
if re.search(r"\A\d|[^\w]", retVal, re.U) or retVal.upper() in kb.keywords:
4149+
retVal = "[%s]" % retVal
41494150

41504151
if _ and DEFAULT_MSSQL_SCHEMA not in retVal and '.' not in re.sub(r"\[[^]]+\]", "", retVal):
41514152
retVal = "%s.%s" % (DEFAULT_MSSQL_SCHEMA, retVal)

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
from thirdparty.six import unichr as _unichr
1919

2020
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
21-
VERSION = "1.4.6.20"
21+
VERSION = "1.4.6.21"
2222
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2323
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2424
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

0 commit comments

Comments
 (0)