From 2d6ecbd762e6eae7b79c10d555baabe667243298 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9rome=20Perrin?= <jerome@nexedi.com>
Date: Wed, 2 Jul 2008 15:56:57 +0000
Subject: [PATCH] using ExactMatch could generate invalid SQL

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@22223 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/ZSQLCatalog/SearchKey/RawKey.py      |  5 ++++-
 product/ZSQLCatalog/tests/testZSQLCatalog.py | 22 ++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/product/ZSQLCatalog/SearchKey/RawKey.py b/product/ZSQLCatalog/SearchKey/RawKey.py
index 064bf7c4b4..718a352e0e 100644
--- a/product/ZSQLCatalog/SearchKey/RawKey.py
+++ b/product/ZSQLCatalog/SearchKey/RawKey.py
@@ -39,8 +39,11 @@ class RawKey(SearchKey):
 
   def buildSQLExpression(self, key, value, 
                          format=None, mode=None, range_value=None, stat__=None):
+
     if value is not None:
-      where_expression = "%s = '%s'" % (key, value)
+      value = self.quoteSQLString(value, format)
+      key = self.quoteSQLKey(key, format)
+      where_expression = "%s = %s" % (key, value)
     else:
       where_expression = "%s is NULL" % (key)
     return where_expression, []
diff --git a/product/ZSQLCatalog/tests/testZSQLCatalog.py b/product/ZSQLCatalog/tests/testZSQLCatalog.py
index bb0bdfd873..d534c8d6cc 100644
--- a/product/ZSQLCatalog/tests/testZSQLCatalog.py
+++ b/product/ZSQLCatalog/tests/testZSQLCatalog.py
@@ -384,6 +384,13 @@ class TestQuery(unittest.TestCase):
                    select_expression_list=[]),
                 q.asSQLExpression())
 
+  def testQuotedStringExactMatch(self):
+    q = Query(title='Foo d\'Ba', key='ExactMatch')
+    self.assertEquals(
+              dict(where_expression="title = 'Foo d''Ba'",
+                   select_expression_list=[]),
+                q.asSQLExpression())
+
   def testQuotedStringFullTextKey(self):
     q = Query(title='Foo d\'Ba', type='fulltext')
     self.assertEquals(
@@ -392,6 +399,21 @@ class TestQuery(unittest.TestCase):
                                      " AS title_relevance"]),
           q.asSQLExpression())
 
+  def testQuotedStringListKeywordKey(self):
+    q = Query(title=('Foo d\'Ba',), key='Keyword')
+    self.assertEquals(
+              dict(where_expression="((((title LIKE '%Foo d''Ba%'))))",
+                   select_expression_list=[]),
+                q.asSQLExpression())
+
+  def testQuotedStringListExactMatch(self):
+    q = Query(title=('Foo d\'Ba',), key='ExactMatch')
+    self.assertEquals(
+              dict(where_expression="title = 'Foo d''Ba'",
+                   select_expression_list=[]),
+                q.asSQLExpression())
+
+
   def testQuotedStringDateKey(self):
     q = Query(title='Foo d\'Ba', type='date')
     self.assertEquals(
-- 
2.30.9