Remove interpretation of string beginning with '0x' as hex values

Author: bladams

_mssql.pyx

@@ -1712,9 +1712,6 @@ cdef _quote_simple_value(value, charset='utf8'):
         return b'0x' + binascii.hexlify(bytes(value))
 
     if isinstance(value, (str, bytes)):
-        if value[0:2] == b'0x':
-            return value
-
         # see if it can be decoded as ascii if there are no null bytes
         if b'\0' not in value:
             try:

tests/test_queries.py

@@ -36,10 +36,11 @@ def createTestTable(cls):
                 data_binary varbinary(40),
                 decimal_no decimal(38,2),
                 numeric_no numeric(38,8),
-                stamp_time timestamp
+                stamp_time timestamp,
+                bin_data varbinary(16)
             )""")
             cls.tableCreated = True
-            cls.testTableColCount = 15
+            cls.testTableColCount = 16
         except _mssql.MSSQLDatabaseException as e:
             if e.number != 2714:
                 raise
@@ -64,16 +65,18 @@ def insertSampleData(self):
                 comment_text,
                 comment_nvch,
                 decimal_no,
-                numeric_no
+                numeric_no,
+                bin_data
             ) VALUES (
                 %d, %d, %d, getdate(), %d,
                 'comment %d',
                 'detail %d',
                 'hmm',
                 'bhmme',
                 234.99,
-                894123.09
-            );""" % (y, y, y, (y % 2), y, y)
+                894123.09,
+                %#x
+            );""" % (y, y, y, (y % 2), y, y, y)
             self.mssql.execute_non_query(query)
 
     def test01SimpleSelect(self):
@@ -112,3 +115,8 @@ def test19MultipleResults(self):
 
         rows = tuple(self.mssql)
         self.assertEquals(rows[0][0], 'ret3')
+
+    def test04BinaryTypeSqlInjection(self):
+        self.mssql.execute_query('SELECT * FROM pymssql WHERE bin_data=%s', ('0x OR 1=1;',))
+        rows = tuple(self.mssql)
+        self.assertEqual(len(rows), 0)

tests/test_types.py

@@ -91,6 +91,12 @@ def test_varchar(self):
         typeeq(u'foobar', colval)
         self.hasheq(u'foobar', colval)
 
+    def test_varchar_hex(self):
+        testval = '0xf00'
+        colval = self.insert_and_select('comment_vch', testval, 's')
+        typeeq(u'0xf00', colval)
+        self.hasheq(u'0xf00', colval)
+
     def test_varchar_unicode(self):
         testval = u'foobär'
         colval = self.insert_and_select('comment_vch', testval, 's')
@@ -103,13 +109,6 @@ def test_nvarchar_unicode(self):
         typeeq(testval, colval)
         eq_(testval, colval)
 
-    def test_binary_string(self):
-        bindata = '{z\n\x03\x07\x194;\x034lE4ISo'.encode('ascii')
-        testval = '0x'.encode('ascii') + binascii.hexlify(bindata)
-        colval = self.insert_and_select('data_binary', testval, 's')
-        typeeq(bindata, colval)
-        eq_(bindata, colval)
-
     def test_binary_bytearray(self):
         bindata = '{z\n\x03\x07\x194;\x034lE4ISo'.encode('ascii')
         colval = self.insert_and_select('data_binary', bytearray(bindata), 's')