[open-ils-commits] r13787 - trunk/Open-ILS/src/c-apps (scottmk)

Fri Jul 31 08:21:50 EDT 2009

Author: scottmk
Date: 2009-07-31 08:21:49 -0400 (Fri, 31 Jul 2009)
New Revision: 13787

Modified:
   trunk/Open-ILS/src/c-apps/oils_cstore.c
Log:
In oils_cstore.c: accept "is distinct from" and "is not distinct from"
as comparison operators.


Modified: trunk/Open-ILS/src/c-apps/oils_cstore.c
===================================================================

--- trunk/Open-ILS/src/c-apps/oils_cstore.c	2009-07-31 02:58:23 UTC (rev 13786)
+++ trunk/Open-ILS/src/c-apps/oils_cstore.c	2009-07-31 12:21:49 UTC (rev 13787)
@@ -5217,10 +5217,10 @@
 Return 1 if it's good, or 0 if it's bad.
 
 We don't validate it for real.  We just make sure that it doesn't contain
-any semicolons or white space (with a special exception for the
-"SIMILAR TO" operator).  The idea is to block certain kinds of SQL
-injection.  If it has no semicolons or white space but it's still not a
-valid operator, then the database will complain.
+any semicolons or white space (with special exceptions for a few specific
+operators).   The idea is to block certain kinds of SQL injection.  If it
+has no semicolons or white space but it's still not a valid operator, then
+the database will complain.
 
 Another approach would be to compare the string against a short list of
 approved operators.  We don't do that because we want to allow custom
@@ -5233,10 +5233,14 @@
 	const char* s = op;
 	while( *s ) {
 		if( isspace( (unsigned char) *s ) ) {
-			// Special exception for SIMILAR TO.  Someday we might make
-			// exceptions for IS DISTINCT FROM and IS NOT DISTINCT FROM.
+			// Special exceptions for SIMILAR TO, IS DISTINCT FROM,
+			// and IS NOT DISTINCT FROM.
 			if( !strcasecmp( op, "similar to" ) )
 				return 1;
+			else if( !strcasecmp( op, "is distinct from" ) )
+				return 1;
+			else if( !strcasecmp( op, "is not distinct from" ) )
+				return 1;
 			else
 				return 0;
 		}

