When looking up a bind variable by name: escape any special characters

in the name before building the query.

M    Open-ILS/src/c-apps/oils_storedq.c

git-svn-id: svn://svn.open-ils.org/ILS/trunk@16666 dcc99617-32d9-48b4-a31d-7c20da2025e4

diff --git a/Open-ILS/src/c-apps/oils_storedq.c b/Open-ILS/src/c-apps/oils_storedq.c
index c39c3e2..6cf41d5 100644 (file)
--- a/Open-ILS/src/c-apps/oils_storedq.c
+++ b/Open-ILS/src/c-apps/oils_storedq.c
@@ -1011,10 +1011,19 @@ static BindVar* getBindVar( BuildSQLState* state, const char* name ) {
                        return bind;   // Already loaded it...
        }
 
-       // Load a BindVar from the Database.
+       // Load a BindVar from the Database.(after escaping any special characters)
+       char* esc_str = strdup( name );
+       dbi_conn_quote_string( state->dbhandle, &esc_str );
+       if( !esc_str ) {
+               osrfLogError( OSRF_LOG_MARK, sqlAddMsg( state,
+                       "Unable to format bind variable name \"%s\"", name ));
+               state->error = 1;
+               return NULL;
+       }
        dbi_result result = dbi_conn_queryf( state->dbhandle,
                "SELECT name, type, description, default_value, label "
-               "FROM query.bind_variable WHERE name = \'%s\';", name );
+               "FROM query.bind_variable WHERE name = %s;", esc_str );
+       free( esc_str );
        if( result ) {
                if( dbi_result_first_row( result ) ) {
                        bind = constructBindVar( state, result );