diff --git a/product/ERP5Catalog/CatalogTool.py b/product/ERP5Catalog/CatalogTool.py index 556ff300d45158fad0075a33f81eb5e1b11ded66..ed3b36488b7a15993ead696b7d66827b804901ff 100644 --- a/product/ERP5Catalog/CatalogTool.py +++ b/product/ERP5Catalog/CatalogTool.py @@ -49,7 +49,7 @@ from MethodObject import Method from Products.ERP5Security import mergedLocalRoles from Products.ERP5Security.ERP5UserManager import SUPER_USER -from Products.ERP5Type.Utils import sqlquote +from Products.ZSQLCatalog.Utils import sqlquote import warnings from zLOG import LOG, PROBLEM, WARNING, INFO diff --git a/product/ERP5Type/Utils.py b/product/ERP5Type/Utils.py index 3d9a09c8e8f1a5d593b2b2680c5f88e9c8d5b2a1..5d74734f9e190392f1ab764d807385bc784f5e54 100644 --- a/product/ERP5Type/Utils.py +++ b/product/ERP5Type/Utils.py @@ -1489,28 +1489,6 @@ def mergeZRDBResults(results, key_column, edit_result): for row in data ])) -##################################################### -# SQL text escaping -##################################################### -def sqlquote(x): - """ - Escape data suitable for inclusion in generated ANSI SQL92 code for - cases where bound variables are not suitable. - - Inspired from zope/app/rdb/__init__.py:sqlquote, modified to: - - use isinstance instead of type equality - - use string member methods instead of string module - """ - if isinstance(x, basestring): - x = "'" + x.replace('\\', '\\\\').replace("'", "''") + "'" - elif isinstance(x, (int, long, float)): - pass - elif x is None: - x = 'NULL' - else: - raise TypeError, 'do not know how to handle type %s' % type(x) - return x - ##################################################### # Hashing ##################################################### diff --git a/product/ZSQLCatalog/Operator/OperatorBase.py b/product/ZSQLCatalog/Operator/OperatorBase.py index e4b6eb50150339c55f3cfabc072ba0ec914f5b93..1f0ca81cbfb60618ed19e33bb07569de2df701b5 100644 --- a/product/ZSQLCatalog/Operator/OperatorBase.py +++ b/product/ZSQLCatalog/Operator/OperatorBase.py @@ -30,13 +30,10 @@ from zLOG import LOG from Products.ZSQLCatalog.interfaces.operator import IOperator +from Products.ZSQLCatalog.Utils import sqlquote as escapeString from zope.interface.verify import verifyClass from zope.interface import implements -def escapeString(value): - # Inspired from ERP5Type/Utils:sqlquote, but this product must not depend on it. - return "'" + value.replace('\\', '\\\\').replace("'", "''") + "'" - def valueFloatRenderer(value): if isinstance(value, basestring): value = float(value.replace(' ', '')) diff --git a/product/ZSQLCatalog/Utils.py b/product/ZSQLCatalog/Utils.py new file mode 100644 index 0000000000000000000000000000000000000000..734bb45e0c8ab79775004c83e6faec29b1358bb1 --- /dev/null +++ b/product/ZSQLCatalog/Utils.py @@ -0,0 +1,44 @@ +############################################################################## +# +# Copyright (c) 2015 Nexedi SA and Contributors. All Rights Reserved. +# +# WARNING: This program as such is intended to be used by professional +# programmers who take the whole responsability of assessing all potential +# consequences resulting from its eventual inadequacies and bugs +# End users who are looking for a ready-to-use solution with commercial +# garantees and support are strongly adviced to contract a Free Software +# Service Company +# +# This program is Free Software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +############################################################################## + +def sqlquote(value): + # See MySQL documentation of string literals. + # XXX: should use sql_quote__ on actual connector + # (ex: ZMySQLDA.DA.Connection.sql_quote__). + # Duplicating such code is error-prone, and makes us rely on a specific SQL + # dialect... + return "'" + (value + .replace('\x5c', r'\\') + .replace('\x00', r'\0') + .replace('\x08', r'\b') + .replace('\x09', r'\t') + .replace('\x0a', r'\n') + .replace('\x0d', r'\r') + .replace('\x1a', r'\Z') + .replace('\x22', r'\"') + .replace('\x27', r"\'") + ) + "'"