Commit 98618bb6 authored by Jérome Perrin's avatar Jérome Perrin

fix quote escaping

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@19366 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent a7c1827e
...@@ -26,8 +26,8 @@ ...@@ -26,8 +26,8 @@
# #
############################################################################## ##############################################################################
from DocumentTemplate.DT_Var import sql_quote
from SearchKey import SearchKey from SearchKey import SearchKey
from pprint import pprint
class DefaultKey(SearchKey): class DefaultKey(SearchKey):
""" DefaultKey key is an ERP5 portal_catalog search key which is used to render """ DefaultKey key is an ERP5 portal_catalog search key which is used to render
...@@ -106,7 +106,7 @@ class DefaultKey(SearchKey): ...@@ -106,7 +106,7 @@ class DefaultKey(SearchKey):
""" Return a quoted string of the value. """ """ Return a quoted string of the value. """
if isinstance(value, (int, long,)): if isinstance(value, (int, long,)):
return str(value) return str(value)
return "'%s'" %value return "'%s'" % sql_quote(value)
## def buildSQLExpressionFromSearchString(self, key, value, format, mode, range_value, stat__): ## def buildSQLExpressionFromSearchString(self, key, value, format, mode, range_value, stat__):
......
...@@ -44,8 +44,8 @@ class FullTextKey(SearchKey): ...@@ -44,8 +44,8 @@ class FullTextKey(SearchKey):
# SQL expressions patterns # SQL expressions patterns
relevance = '%s_relevance' relevance = '%s_relevance'
where_match_against = "MATCH %s AGAINST ('%s' %s)" where_match_against = "MATCH %s AGAINST (%s %s)"
select_match_against_as = "MATCH %s AGAINST ('%s' %s) AS %s" select_match_against_as = "MATCH %s AGAINST (%s %s) AS %s"
t_PLUS = r'(\+)' t_PLUS = r'(\+)'
t_MINUS = r'(\-)' t_MINUS = r'(\-)'
...@@ -87,11 +87,14 @@ class FullTextKey(SearchKey): ...@@ -87,11 +87,14 @@ class FullTextKey(SearchKey):
relevance_key1 = self.relevance %key relevance_key1 = self.relevance %key
relevance_key2 = None relevance_key2 = None
select_expression_list = [] select_expression_list = []
where_expression = self.where_match_against %(key, value, mode) where_expression = self.where_match_against % (key,
self.quoteSQLString(value, ''), mode)
if not stat__: if not stat__:
# stat__ is an internal implementation artifact to prevent adding # stat__ is an internal implementation artifact to prevent adding
# select_expression for countFolder # select_expression for countFolder
select_expression_list = [self.select_match_against_as %(key, value, mode, relevance_key1),] select_expression_list = [self.select_match_against_as % (key,
self.quoteSQLString(value, ''), mode, relevance_key1),]
if relevance_key2 is not None: if relevance_key2 is not None:
select_expression_list.append(self.select_match_against_as %(key, value, mode, relevance_key2)) select_expression_list.append(self.select_match_against_as % (
key, self.quoteSQLString(value, ''), mode, relevance_key2))
return where_expression, select_expression_list return where_expression, select_expression_list
...@@ -126,10 +126,6 @@ class KeyWordKey(SearchKey): ...@@ -126,10 +126,6 @@ class KeyWordKey(SearchKey):
t.value = value t.value = value
return t return t
def quoteSQLString(self, value, format):
""" Return a quoted string of the value. """
return "'%s'" %value
def getOperatorForTokenList(self, tokens): def getOperatorForTokenList(self, tokens):
""" Generic implementation that will return respective """ Generic implementation that will return respective
operator for a token list. The first found occurence wins.""" operator for a token list. The first found occurence wins."""
......
...@@ -26,6 +26,7 @@ ...@@ -26,6 +26,7 @@
# #
############################################################################## ##############################################################################
from DocumentTemplate.DT_Var import sql_quote
from Products.ZSQLCatalog.Query.SimpleQuery import SimpleQuery as Query from Products.ZSQLCatalog.Query.SimpleQuery import SimpleQuery as Query
from Products.ZSQLCatalog.Query.ComplexQuery import ComplexQuery from Products.ZSQLCatalog.Query.ComplexQuery import ComplexQuery
from Products.ZSQLCatalog.SQLCatalog import getSearchKeyInstance from Products.ZSQLCatalog.SQLCatalog import getSearchKeyInstance
...@@ -108,7 +109,7 @@ class SearchKey: ...@@ -108,7 +109,7 @@ class SearchKey:
def quoteSQLString(self, value, format): def quoteSQLString(self, value, format):
""" Return a quoted string of the value. """ """ Return a quoted string of the value. """
return "'%s'" %value return "'%s'" % sql_quote(str(value))
# SQL generation # SQL generation
def buildSQLExpression(self, key, value, def buildSQLExpression(self, key, value,
......
...@@ -108,13 +108,6 @@ class TestQuery(unittest.TestCase): ...@@ -108,13 +108,6 @@ class TestQuery(unittest.TestCase):
datetime_search_keys = [], datetime_search_keys = [],
full_text_search_keys=[])) full_text_search_keys=[]))
def testQuotedString(self):
q = Query(title='Foo d\'Bar')
self.assertEquals(
dict(where_expression="title = 'Foo d''Bar'",
select_expression_list=[]),
q.asSQLExpression(keyword_search_keys=[], full_text_search_keys=[]))
def testQueryMultipleKeys(self): def testQueryMultipleKeys(self):
# using multiple keys is invalid and raises # using multiple keys is invalid and raises
# KeyError: 'Query must have only one key' # KeyError: 'Query must have only one key'
...@@ -315,6 +308,52 @@ class TestQuery(unittest.TestCase): ...@@ -315,6 +308,52 @@ class TestQuery(unittest.TestCase):
datetime_search_keys = [], datetime_search_keys = [],
full_text_search_keys=[])['where_expression']) full_text_search_keys=[])['where_expression'])
def testQuotedStringDefaultKey(self):
q = Query(title='Foo d\'Ba')
self.assertEquals(
dict(where_expression="((((title = 'Foo d''Ba'))))",
select_expression_list=[]),
q.asSQLExpression())
def testQuotedStringKeywordKey(self):
q = Query(title='Foo d\'Ba', type='keyword')
self.assertEquals(
dict(where_expression="((((title LIKE '%Foo d''Ba%'))))",
select_expression_list=[]),
q.asSQLExpression())
def testQuotedStringFullTextKey(self):
q = Query(title='Foo d\'Ba', type='fulltext')
self.assertEquals(
dict(where_expression="MATCH title AGAINST ('Foo d''Ba' )",
select_expression_list=["MATCH title AGAINST ('Foo d''Ba' )"
" AS title_relevance"]),
q.asSQLExpression())
def testQuotedStringDateKey(self):
q = Query(title='Foo d\'Ba', type='date')
self.assertEquals(
# I don't know exactly what we should expect here.
dict(where_expression="1",
select_expression_list=[]),
q.asSQLExpression())
def testQuotedStringFloatKey(self):
q = Query(title='Foo d\'Ba', type='float')
self.assertEquals(
# I don't know exactly what we should expect here.
# At least it's safe.
dict(where_expression="1",
select_expression_list=[]),
q.asSQLExpression())
def testQuotedStringIntKey(self):
q = Query(title='Foo d\'Ba', type='int')
self.assertEquals(
dict(where_expression="((((title = 'Foo d''Ba'))))",
select_expression_list=[]),
q.asSQLExpression())
def test_suite(): def test_suite():
suite = unittest.TestSuite() suite = unittest.TestSuite()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment