When building string literals in SQL: escape special characters.

author scottmk <scottmk@dcc99617-32d9-48b4-a31d-7c20da2025e4>

Thu, 10 Jun 2010 18:57:14 +0000 (18:57 +0000)

committer scottmk <scottmk@dcc99617-32d9-48b4-a31d-7c20da2025e4>

Thu, 10 Jun 2010 18:57:14 +0000 (18:57 +0000)
author scottmk <scottmk@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Thu, 10 Jun 2010 18:57:14 +0000 (18:57 +0000)
committer scottmk <scottmk@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Thu, 10 Jun 2010 18:57:14 +0000 (18:57 +0000)
diff --git a/Open-ILS/src/c-apps/buildSQL.c b/Open-ILS/src/c-apps/buildSQL.c

index 15cc46c..032dafa 100644 (file)
--- a/Open-ILS/src/c-apps/buildSQL.c
+++ b/Open-ILS/src/c-apps/buildSQL.c
@@ -832,10 +832,17 @@ static void buildExpression( BuildSQLState* state, const Expression* expr ) {
                                         "Internal error: No string value in string expression # %d", expr->id ));
                                         state->error = 1;
                         } else {
-                               // To do: escape special characters in the string
-                               buffer_add_char( state->sql, '\'' );
-                               buffer_add( state->sql, expr->literal );
-                               buffer_add_char( state->sql, '\'' );
+                               char* str = strdup( expr->literal );
+                               dbi_conn_quote_string( state->dbhandle, &str );
+                               if( str ) {
+                                       buffer_add( state->sql, str );
+                                       free( str );
+                               } else {
+                                       osrfLogWarning( OSRF_LOG_MARK, sqlAddMsg( state,
+                                               "Unable to format string literal \"%s\" for expression # %d",
+                                                       expr->literal, expr->id ));
+                                       state->error = 1;
+                               }
                         }
                         break;
                 case EXP_SUBQUERY :
@@ -1037,10 +1044,17 @@ static void buildScalar( BuildSQLState* state, int numeric, const jsonObject* ob
                                         "Invalid value for bind variable: expected a string, found a number" );
                                 state->error = 1;
                         } else {
-                               // To do: escape special characters in the string
-                               buffer_add_char( state->sql, '\'' );
-                               buffer_add( state->sql, jsonObjectGetString( obj ));
-                               buffer_add_char( state->sql, '\'' );
+                               char* str = jsonObjectToSimpleString( obj );
+                               dbi_conn_quote_string( state->dbhandle, &str );
+                               if( str ) {
+                                       buffer_add( state->sql, str );
+                                       free( str );
+                               } else {
+                                       osrfLogWarning( OSRF_LOG_MARK, sqlAddMsg( state,
+                                               "Unable to format string literal \"%s\" for bind variable",
+                                               jsonObjectGetString( obj )));
+                                       state->error = 1;
+                               }
                         }
                         break;
                 case JSON_NUMBER :
author	scottmk <scottmk@dcc99617-32d9-48b4-a31d-7c20da2025e4>
	Thu, 10 Jun 2010 18:57:14 +0000 (18:57 +0000)
committer	scottmk <scottmk@dcc99617-32d9-48b4-a31d-7c20da2025e4>
	Thu, 10 Jun 2010 18:57:14 +0000 (18:57 +0000)