From e4b2d122e18ebe76d383918b1b1a202f6f3437e1 Mon Sep 17 00:00:00 2001
From: sknair <saoundarajen.krishnannair@gmail.com>
Date: Tue, 16 Dec 2025 07:29:39 +0800
Subject: [PATCH] Escape bind_vars values to prevent SQL injection

---
 tePLSQL.pkb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tePLSQL.pkb b/tePLSQL.pkb
index a1f27f6..22cc35e 100755
--- a/tePLSQL.pkb
+++ b/tePLSQL.pkb
@@ -604,8 +604,12 @@ AS
       
       procedure replace_vars( i_key in varchar2, i_value in varchar2 )
       as
+         c_quoted_end           constant varchar2(10) := ']''';
+         c_quoted_end_escaped   constant varchar2(10) := ']"';
+         c_quoted_start         constant varchar2(10) := 'q''[';
+         c_quoted_start_escaped constant varchar2(10) := 'q"[';
       begin
-        p_template := REPLACE (p_template, '${' || i_key || '}', TO_CLOB ( i_value ));
+        p_template := REPLACE (p_template, '${' || i_key || '}', replace(replace(TO_CLOB ( i_value ), c_quoted_end, c_quoted_end_escaped), c_quoted_start, c_quoted_start_escaped));
       end;
    BEGIN
       if g_render_mode = g_render_mode_fetch_only