EP5Type.Utils: Update SQL escaping rules.

Sadly, we still implement our own escaping, as places escaping strings do not know which connector will be used (proper escaping is connector-dependent, because database-dependent). Move this method in ZSQLCatalog to factorise code.

EP5Type.Utils: Update SQL escaping rules.
Sadly, we still implement our own escaping, as places escaping strings do not know which connector will be used (proper escaping is connector-dependent, because database-dependent). Move this method in ZSQLCatalog to factorise code.
39c4873a · Vincent Pelletier · 63c3da2b · 39c4873a · 39c4873a · 39c4873a
Commit 39c4873a authored Jul 09, 2015 by Vincent Pelletier
4 changed files
--- a/product/ERP5Catalog/CatalogTool.py
+++ b/product/ERP5Catalog/CatalogTool.py
@@ -49,7 +49,7 @@ from MethodObject import Method
 from Products.ERP5Security import mergedLocalRoles
 from Products.ERP5Security.ERP5UserManager import SUPER_USER
-from Products.ERP5Type.Utils import sqlquote
+from Products.ZSQLCatalog.Utils import sqlquote
 import warnings
 from zLOG import LOG, PROBLEM, WARNING, INFO

--- a/product/ERP5Type/Utils.py
+++ b/product/ERP5Type/Utils.py
@@ -1489,28 +1489,6 @@ def mergeZRDBResults(results, key_column, edit_result):
      for row in data
    ]))
-#####################################################
-# SQL text escaping
-#####################################################
-def sqlquote(x):
-  """
-  Escape data suitable for inclusion in generated ANSI SQL92 code for
-  cases where bound variables are not suitable.
-  Inspired from zope/app/rdb/__init__.py:sqlquote, modified to:
-   - use isinstance instead of type equality
-   - use string member methods instead of string module
-  """
-  if isinstance(x, basestring):
-    x = "'" + x.replace('\\', '\\\\').replace("'", "''") + "'"
-  elif isinstance(x, (int, long, float)):
-    pass
-  elif x is None:
-    x = 'NULL'
-  else:
-    raise TypeError, 'do not know how to handle type %s' % type(x)
-  return x
 #####################################################
 # Hashing
 #####################################################

--- a/product/ZSQLCatalog/Operator/OperatorBase.py
+++ b/product/ZSQLCatalog/Operator/OperatorBase.py
@@ -30,13 +30,10 @@
 from zLOG import LOG
 from Products.ZSQLCatalog.interfaces.operator import IOperator
+from Products.ZSQLCatalog.Utils import sqlquote as escapeString
 from zope.interface.verify import verifyClass
 from zope.interface import implements
-def escapeString(value):
-  # Inspired from ERP5Type/Utils:sqlquote, but this product must not depend on it.
-  return "'" + value.replace('\\', '\\\\').replace("'", "''") + "'"
 def valueFloatRenderer(value):
  if isinstance(value, basestring):
    value = float(value.replace(' ', ''))

--- a/product/ZSQLCatalog/Utils.py
+++ b/product/ZSQLCatalog/Utils.py
+##############################################################################
+#
+# Copyright (c) 2015 Nexedi SA and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsability of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# garantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+def sqlquote(value):
+  # See MySQL documentation of string literals.
+  # XXX: should use sql_quote__ on actual connector
+  # (ex: ZMySQLDA.DA.Connection.sql_quote__).
+  # Duplicating such code is error-prone, and makes us rely on a specific SQL
+  # dialect...
+  return "'" + (value
+    .replace('\x5c', r'\\')
+    .replace('\x00', r'\0')
+    .replace('\x08', r'\b')
+    .replace('\x09', r'\t')
+    .replace('\x0a', r'\n')
+    .replace('\x0d', r'\r')
+    .replace('\x1a', r'\Z')
+    .replace('\x22', r'\"')
+    .replace('\x27', r"\'")
+  ) + "'"