lib/ronin/sql/injection.rb in ronin-sql-1.0.0 vs lib/ronin/sql/injection.rb in ronin-sql-1.1.0
- old
+ new
@@ -18,20 +18,24 @@
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
-require 'ronin/sql/binary_expr'
require 'ronin/sql/literals'
require 'ronin/sql/clauses'
+require 'ronin/sql/injection_expr'
require 'ronin/sql/statement_list'
module Ronin
module SQL
#
# Represents a SQL injection (SQLi).
#
+ # @api public
+ #
+ # @see http://en.wikipedia.org/wiki/SQL_injection
+ #
class Injection < StatementList
include Literals
include Clauses
@@ -45,13 +49,10 @@
}
# The type of element to escape out of
attr_reader :escape
- # The place holder data
- attr_reader :place_holder
-
# The expression that will be injected
attr_reader :expression
#
# Initializes a new SQL injection.
@@ -76,60 +77,51 @@
# @yieldparam [Injection] injection
# The new injection.
#
def initialize(options={},&block)
@escape = options.fetch(:escape,:integer)
- @place_holder = options.fetch(:place_holder) do
+
+ place_holder = options.fetch(:place_holder) do
PLACE_HOLDERS.fetch(@escape)
end
- @expression = @place_holder
+ @expression = InjectionExpr.new(place_holder)
super(&block)
end
#
# Appends an `AND` expression to the injection.
#
- # @yield [(injection)]
+ # @yield [(expr)]
# The return value of the block will be used as the right-hand side
# operand. If the block accepts an argument, it will be called with
# the injection.
#
- # @yieldparam [Injection] injection
+ # @yieldparam [InjectionExpr] expr
#
# @return [self]
#
def and(&block)
- value = case block.arity
- when 0 then instance_eval(&block)
- else block.call(self)
- end
-
- @expression = BinaryExpr.new(@expression,:AND,value)
+ @expression.and(&block)
return self
end
#
# Appends an `OR` expression to the injection.
#
- # @yield [(injection)]
+ # @yield [(expr)]
# The return value of the block will be used as the right-hand side
# operand. If the block accepts an argument, it will be called with
- # the injection.
+ # the injection expression.
#
- # @yieldparam [Injection] injection
+ # @yieldparam [InjectionExp] expr
#
# @return [self]
#
def or(&block)
- value = case block.arity
- when 0 then instance_eval(&block)
- else block.call(self)
- end
-
- @expression = BinaryExpr.new(@expression,:OR,value)
+ @expression.or(&block)
return self
end
#
# Converts the SQL injection to SQL.
@@ -143,12 +135,10 @@
# @return [String]
# The raw SQL.
#
def to_sql(options={})
emitter = emitter(options)
- sql = ''
-
- sql << emitter.emit(@expression)
+ sql = @expression.to_sql(options)
unless clauses.empty?
sql << emitter.space << emitter.emit_clauses(clauses)
end