Merge pull request #127 from Iristyle/ticket/master/MODULES-2312-use-sp_executesql-for-arbitrary-queries

(DO NOT MERGE)(MODULES-2312) Use sp_executesql to execute T-SQL

Author: cyberious

lib/puppet/property/sqlserver_tsql.rb

@@ -3,9 +3,12 @@
 class Puppet::Property::SqlserverTsql < Puppet::Property
   desc 'TSQL property that we are going to wrap with a try catch'
   munge do |value|
+    quoted_value = value.gsub('\'', '\'\'')
     erb_template = <<-TEMPLATE
 BEGIN TRY
-    #{value}
+    DECLARE @sql_text as NVARCHAR(max);
+    SET @sql_text = N'#{quoted_value}'
+    EXECUTE sp_executesql @sql_text;
 END TRY
 BEGIN CATCH
     DECLARE @msg as VARCHAR(max);

spec/unit/puppet/property/tsql_spec.rb

@@ -14,8 +14,13 @@
   it 'should munge value to have begin and end try' do
     @node[:command] = 'function foo'
     @node[:onlyif] = 'exec bar'
-    expect(@node[:onlyif]).to match(/BEGIN TRY\n\s+exec bar\nEND TRY/)
-    expect(@node[:command]).to match(/BEGIN TRY\n\s+function foo\nEND TRY/)
+    expect(@node[:onlyif]).to match(/BEGIN TRY\n\s+DECLARE @sql_text as NVARCHAR\(max\);\n\s+SET @sql_text = N'exec bar'\n\s+EXECUTE sp_executesql @sql_text;\nEND TRY/)
+    expect(@node[:command]).to match(/BEGIN TRY\n\s+DECLARE @sql_text as NVARCHAR\(max\);\n\s+SET @sql_text = N'function foo'\n\s+EXECUTE sp_executesql @sql_text;\nEND TRY/)
+  end
+
+  it 'should properly escape single quotes in queries' do
+    @node[:command] = 'SELECT \'FOO\''
+    expect(@node[:command]).to match(/SET @sql_text = N'SELECT \'\'FOO\'\'/)
   end
 
 end

spec/unit/puppet/provider/sqlserver__tsql_spec.rb

@@ -22,9 +22,12 @@ def stub_get_instance_config(config)
   end
 
   def gen_query(query)
+    quoted_query = query.gsub('\'', '\'\'')
     <<-PP
 BEGIN TRY
-    #{query}
+    DECLARE @sql_text as NVARCHAR(max);
+    SET @sql_text = N'#{quoted_query}'
+    EXECUTE sp_executesql @sql_text;
 END TRY
 BEGIN CATCH
     DECLARE @msg as VARCHAR(max);