org.owasp.esapi.codecs.OracleCodec Maven / Gradle / Ivy
/**
* OWASP Enterprise Security API (ESAPI)
*
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007 - The OWASP Foundation
*
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
*
* @author Jeff Williams Aspect Security
* @created 2007
*/
package org.owasp.esapi.codecs;
/**
* Implementation of the Codec interface for Oracle strings. This function will only protect you from SQLi in the case of user data
* bring placed within an Oracle quoted string such as:
*
* select * from table where user_name=' USERDATA ';
*
* @see how-to-escape-single-quotes-in-strings
*
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
* @author Jim Manico ([email protected]) Manico.net
* @since June 1, 2007
* @see org.owasp.esapi.Encoder
*/
public class OracleCodec extends AbstractCharacterCodec {
/**
* {@inheritDoc}
*
* Encodes ' to ''
*
* Encodes ' to ''
*
* @param immune
*/
public String encodeCharacter( char[] immune, Character c ) {
if ( c.charValue() == '\'' )
return "\'\'";
return ""+c;
}
/**
* {@inheritDoc}
*
* Returns the decoded version of the character starting at index, or
* null if no decoding is possible.
*
* Formats all are legal
* '' decodes to '
*/
public Character decodeCharacter( PushbackSequence input ) {
input.mark();
Character first = input.next();
if ( first == null ) {
input.reset();
return null;
}
// if this is not an encoded character, return null
if ( first.charValue() != '\'' ) {
input.reset();
return null;
}
Character second = input.next();
if ( second == null ) {
input.reset();
return null;
}
// if this is not an encoded character, return null
if ( second.charValue() != '\'' ) {
input.reset();
return null;
}
return( Character.valueOf( '\'' ) );
}
}