From 2c4cb76ab3b3b9999e6f553e7a2d290b0b3c1ffa Mon Sep 17 00:00:00 2001
From: scottmk <scottmk@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Date: Thu, 10 Jun 2010 20:10:42 +0000
Subject: [PATCH] When looking up a bind variable by name: escape any special
 characters in the name before building the query.

M    Open-ILS/src/c-apps/oils_storedq.c


git-svn-id: svn://svn.open-ils.org/ILS/trunk@16666 dcc99617-32d9-48b4-a31d-7c20da2025e4
---
 Open-ILS/src/c-apps/oils_storedq.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/Open-ILS/src/c-apps/oils_storedq.c b/Open-ILS/src/c-apps/oils_storedq.c
index c39c3e2d75..6cf41d5057 100644
--- a/Open-ILS/src/c-apps/oils_storedq.c
+++ b/Open-ILS/src/c-apps/oils_storedq.c
@@ -1011,10 +1011,19 @@ static BindVar* getBindVar( BuildSQLState* state, const char* name ) {
 			return bind;   // Already loaded it...
 	}
 
-	// Load a BindVar from the Database.
+	// Load a BindVar from the Database.(after escaping any special characters)
+	char* esc_str = strdup( name );
+	dbi_conn_quote_string( state->dbhandle, &esc_str );
+	if( !esc_str ) {
+		osrfLogError( OSRF_LOG_MARK, sqlAddMsg( state,
+			"Unable to format bind variable name \"%s\"", name ));
+		state->error = 1;
+		return NULL;
+	}
 	dbi_result result = dbi_conn_queryf( state->dbhandle,
 		"SELECT name, type, description, default_value, label "
-		"FROM query.bind_variable WHERE name = \'%s\';", name );
+		"FROM query.bind_variable WHERE name = %s;", esc_str );
+	free( esc_str );
 	if( result ) {
 		if( dbi_result_first_row( result ) ) {
 			bind = constructBindVar( state, result );
-- 
2.11.0