From: scottmk Date: Fri, 31 Jul 2009 12:21:49 +0000 (+0000) Subject: In oils_cstore.c: accept "is distinct from" and "is not distinct from" X-Git-Tag: sprint4-merge-nov22~9579 X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=efd61017f9c77555ee8e76fd661a11c5cdefa8e1;p=working%2FEvergreen.git In oils_cstore.c: accept "is distinct from" and "is not distinct from" as comparison operators. git-svn-id: svn://svn.open-ils.org/ILS/trunk@13787 dcc99617-32d9-48b4-a31d-7c20da2025e4 --- diff --git a/Open-ILS/src/c-apps/oils_cstore.c b/Open-ILS/src/c-apps/oils_cstore.c index f557f38727..1f4d63c83f 100644 --- a/Open-ILS/src/c-apps/oils_cstore.c +++ b/Open-ILS/src/c-apps/oils_cstore.c @@ -5217,10 +5217,10 @@ Determine whether to accept a character string as a comparison operator. Return 1 if it's good, or 0 if it's bad. We don't validate it for real. We just make sure that it doesn't contain -any semicolons or white space (with a special exception for the -"SIMILAR TO" operator). The idea is to block certain kinds of SQL -injection. If it has no semicolons or white space but it's still not a -valid operator, then the database will complain. +any semicolons or white space (with special exceptions for a few specific +operators). The idea is to block certain kinds of SQL injection. If it +has no semicolons or white space but it's still not a valid operator, then +the database will complain. Another approach would be to compare the string against a short list of approved operators. We don't do that because we want to allow custom @@ -5233,10 +5233,14 @@ static int is_good_operator( const char* op ) { const char* s = op; while( *s ) { if( isspace( (unsigned char) *s ) ) { - // Special exception for SIMILAR TO. Someday we might make - // exceptions for IS DISTINCT FROM and IS NOT DISTINCT FROM. + // Special exceptions for SIMILAR TO, IS DISTINCT FROM, + // and IS NOT DISTINCT FROM. if( !strcasecmp( op, "similar to" ) ) return 1; + else if( !strcasecmp( op, "is distinct from" ) ) + return 1; + else if( !strcasecmp( op, "is not distinct from" ) ) + return 1; else return 0; }