From 186abbe88d474228b525e2a9c9c5c6e07d2a9e6e Mon Sep 17 00:00:00 2001
From: scottmk <scottmk@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Date: Thu, 10 Jun 2010 18:57:14 +0000
Subject: [PATCH] When building string literals in SQL: escape special
 characters.

M    Open-ILS/src/c-apps/buildSQL.c


git-svn-id: svn://svn.open-ils.org/ILS/trunk@16658 dcc99617-32d9-48b4-a31d-7c20da2025e4
---
 Open-ILS/src/c-apps/buildSQL.c | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/Open-ILS/src/c-apps/buildSQL.c b/Open-ILS/src/c-apps/buildSQL.c
index 15cc46c552..032dafa6db 100644
--- a/Open-ILS/src/c-apps/buildSQL.c
+++ b/Open-ILS/src/c-apps/buildSQL.c
@@ -832,10 +832,17 @@ static void buildExpression( BuildSQLState* state, const Expression* expr ) {
 					"Internal error: No string value in string expression # %d", expr->id ));
 					state->error = 1;
 			} else {
-				// To do: escape special characters in the string
-				buffer_add_char( state->sql, '\'' );
-				buffer_add( state->sql, expr->literal );
-				buffer_add_char( state->sql, '\'' );
+				char* str = strdup( expr->literal );
+				dbi_conn_quote_string( state->dbhandle, &str );
+				if( str ) {
+					buffer_add( state->sql, str );
+					free( str );
+				} else {
+					osrfLogWarning( OSRF_LOG_MARK, sqlAddMsg( state,
+						"Unable to format string literal \"%s\" for expression # %d",
+							expr->literal, expr->id ));
+					state->error = 1;
+				}
 			}
 			break;
 		case EXP_SUBQUERY :
@@ -1037,10 +1044,17 @@ static void buildScalar( BuildSQLState* state, int numeric, const jsonObject* ob
 					"Invalid value for bind variable: expected a string, found a number" );
 				state->error = 1;
 			} else {
-				// To do: escape special characters in the string
-				buffer_add_char( state->sql, '\'' );
-				buffer_add( state->sql, jsonObjectGetString( obj ));
-				buffer_add_char( state->sql, '\'' );
+				char* str = jsonObjectToSimpleString( obj );
+				dbi_conn_quote_string( state->dbhandle, &str );
+				if( str ) {
+					buffer_add( state->sql, str );
+					free( str );
+				} else {
+					osrfLogWarning( OSRF_LOG_MARK, sqlAddMsg( state,
+						"Unable to format string literal \"%s\" for bind variable",
+						jsonObjectGetString( obj )));
+					state->error = 1;
+				}
 			}
 			break;
 		case JSON_NUMBER :
-- 
2.11.0