[open-ils-commits] r16666 - trunk/Open-ILS/src/c-apps (scottmk)
svn at svn.open-ils.org
svn at svn.open-ils.org
Thu Jun 10 16:10:47 EDT 2010
Author: scottmk
Date: 2010-06-10 16:10:42 -0400 (Thu, 10 Jun 2010)
New Revision: 16666
Modified:
trunk/Open-ILS/src/c-apps/oils_storedq.c
Log:
When looking up a bind variable by name: escape any special characters
in the name before building the query.
M Open-ILS/src/c-apps/oils_storedq.c
Modified: trunk/Open-ILS/src/c-apps/oils_storedq.c
===================================================================
--- trunk/Open-ILS/src/c-apps/oils_storedq.c 2010-06-10 20:03:25 UTC (rev 16665)
+++ trunk/Open-ILS/src/c-apps/oils_storedq.c 2010-06-10 20:10:42 UTC (rev 16666)
@@ -1011,10 +1011,19 @@
return bind; // Already loaded it...
}
- // Load a BindVar from the Database.
+ // Load a BindVar from the Database.(after escaping any special characters)
+ char* esc_str = strdup( name );
+ dbi_conn_quote_string( state->dbhandle, &esc_str );
+ if( !esc_str ) {
+ osrfLogError( OSRF_LOG_MARK, sqlAddMsg( state,
+ "Unable to format bind variable name \"%s\"", name ));
+ state->error = 1;
+ return NULL;
+ }
dbi_result result = dbi_conn_queryf( state->dbhandle,
"SELECT name, type, description, default_value, label "
- "FROM query.bind_variable WHERE name = \'%s\';", name );
+ "FROM query.bind_variable WHERE name = %s;", esc_str );
+ free( esc_str );
if( result ) {
if( dbi_result_first_row( result ) ) {
bind = constructBindVar( state, result );
More information about the open-ils-commits
mailing list