Commit 39c4873a authored by Vincent Pelletier's avatar Vincent Pelletier

EP5Type.Utils: Update SQL escaping rules.

Sadly, we still implement our own escaping, as places escaping strings do
not know which connector will be used (proper escaping is
connector-dependent, because database-dependent).
Move this method in ZSQLCatalog to factorise code.
parent 63c3da2b
......@@ -49,7 +49,7 @@ from MethodObject import Method
from Products.ERP5Security import mergedLocalRoles
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products.ERP5Type.Utils import sqlquote
from Products.ZSQLCatalog.Utils import sqlquote
import warnings
from zLOG import LOG, PROBLEM, WARNING, INFO
......
......@@ -1489,28 +1489,6 @@ def mergeZRDBResults(results, key_column, edit_result):
for row in data
]))
#####################################################
# SQL text escaping
#####################################################
def sqlquote(x):
"""
Escape data suitable for inclusion in generated ANSI SQL92 code for
cases where bound variables are not suitable.
Inspired from zope/app/rdb/__init__.py:sqlquote, modified to:
- use isinstance instead of type equality
- use string member methods instead of string module
"""
if isinstance(x, basestring):
x = "'" + x.replace('\\', '\\\\').replace("'", "''") + "'"
elif isinstance(x, (int, long, float)):
pass
elif x is None:
x = 'NULL'
else:
raise TypeError, 'do not know how to handle type %s' % type(x)
return x
#####################################################
# Hashing
#####################################################
......
......@@ -30,13 +30,10 @@
from zLOG import LOG
from Products.ZSQLCatalog.interfaces.operator import IOperator
from Products.ZSQLCatalog.Utils import sqlquote as escapeString
from zope.interface.verify import verifyClass
from zope.interface import implements
def escapeString(value):
# Inspired from ERP5Type/Utils:sqlquote, but this product must not depend on it.
return "'" + value.replace('\\', '\\\\').replace("'", "''") + "'"
def valueFloatRenderer(value):
if isinstance(value, basestring):
value = float(value.replace(' ', ''))
......
##############################################################################
#
# Copyright (c) 2015 Nexedi SA and Contributors. All Rights Reserved.
#
# WARNING: This program as such is intended to be used by professional
# programmers who take the whole responsability of assessing all potential
# consequences resulting from its eventual inadequacies and bugs
# End users who are looking for a ready-to-use solution with commercial
# garantees and support are strongly adviced to contract a Free Software
# Service Company
#
# This program is Free Software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
##############################################################################
def sqlquote(value):
# See MySQL documentation of string literals.
# XXX: should use sql_quote__ on actual connector
# (ex: ZMySQLDA.DA.Connection.sql_quote__).
# Duplicating such code is error-prone, and makes us rely on a specific SQL
# dialect...
return "'" + (value
.replace('\x5c', r'\\')
.replace('\x00', r'\0')
.replace('\x08', r'\b')
.replace('\x09', r'\t')
.replace('\x0a', r'\n')
.replace('\x0d', r'\r')
.replace('\x1a', r'\Z')
.replace('\x22', r'\"')
.replace('\x27', r"\'")
) + "'"
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment