Skip to content

erp5
erp5
Commit 98618bb6 authored by Jérome Perrin's avatar Jérome Perrin
Browse files
Options

fix quote escaping 


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@19366 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent a7c1827e
Hide whitespace changes
Inline Side-by-side
Showing with 59 additions and 20 deletions
product/ZSQLCatalog/SearchKey/DefaultKey.py
View file @ 98618bb6
......@@ -26,8 +26,8 @@
#
##############################################################################
from DocumentTemplate.DT_Var import sql_quote
from SearchKey import SearchKey
from pprint import pprint
class DefaultKey(SearchKey):
""" DefaultKey key is an ERP5 portal_catalog search key which is used to render
......@@ -106,7 +106,7 @@ class DefaultKey(SearchKey):
""" Return a quoted string of the value. """
if isinstance(value, (int, long,)):
return str(value)
return "'%s'" %value
return "'%s'" % sql_quote(value)
## def buildSQLExpressionFromSearchString(self, key, value, format, mode, range_value, stat__):
......
product/ZSQLCatalog/SearchKey/FullTextKey.py
View file @ 98618bb6
......@@ -44,8 +44,8 @@ class FullTextKey(SearchKey):
# SQL expressions patterns
relevance = '%s_relevance'
where_match_against = "MATCH %s AGAINST ('%s' %s)"
select_match_against_as = "MATCH %s AGAINST ('%s' %s) AS %s"
where_match_against = "MATCH %s AGAINST (%s %s)"
select_match_against_as = "MATCH %s AGAINST (%s %s) AS %s"
t_PLUS = r'(\+)'
t_MINUS = r'(\-)'
......@@ -87,11 +87,14 @@ class FullTextKey(SearchKey):
relevance_key1 = self.relevance %key
relevance_key2 = None
select_expression_list = []
where_expression = self.where_match_against %(key, value, mode)
where_expression = self.where_match_against % (key,
self.quoteSQLString(value, ''), mode)
if not stat__:
# stat__ is an internal implementation artifact to prevent adding
# select_expression for countFolder
select_expression_list = [self.select_match_against_as %(key, value, mode, relevance_key1),]
if relevance_key2 is not None:
select_expression_list.append(self.select_match_against_as %(key, value, mode, relevance_key2))
select_expression_list = [self.select_match_against_as % (key,
self.quoteSQLString(value, ''), mode, relevance_key1),]
if relevance_key2 is not None:
select_expression_list.append(self.select_match_against_as % (
key, self.quoteSQLString(value, ''), mode, relevance_key2))
return where_expression, select_expression_list
product/ZSQLCatalog/SearchKey/KeyWordKey.py
View file @ 98618bb6
......@@ -125,10 +125,6 @@ class KeyWordKey(SearchKey):
value = value[1:]
t.value = value
return t
def quoteSQLString(self, value, format):
""" Return a quoted string of the value. """
return "'%s'" %value
def getOperatorForTokenList(self, tokens):
""" Generic implementation that will return respective
......
product/ZSQLCatalog/SearchKey/SearchKey.py
View file @ 98618bb6
......@@ -26,6 +26,7 @@
#
##############################################################################
from DocumentTemplate.DT_Var import sql_quote
from Products.ZSQLCatalog.Query.SimpleQuery import SimpleQuery as Query
from Products.ZSQLCatalog.Query.ComplexQuery import ComplexQuery
from Products.ZSQLCatalog.SQLCatalog import getSearchKeyInstance
......@@ -108,7 +109,7 @@ class SearchKey:
def quoteSQLString(self, value, format):
""" Return a quoted string of the value. """
return "'%s'" %value
return "'%s'" % sql_quote(str(value))
# SQL generation
def buildSQLExpression(self, key, value,
......
product/ZSQLCatalog/tests/testZSQLCatalog.py
View file @ 98618bb6
......@@ -108,13 +108,6 @@ class TestQuery(unittest.TestCase):
datetime_search_keys = [],
full_text_search_keys=[]))
def testQuotedString(self):
q = Query(title='Foo d\'Bar')
self.assertEquals(
dict(where_expression="title = 'Foo d''Bar'",
select_expression_list=[]),
q.asSQLExpression(keyword_search_keys=[], full_text_search_keys=[]))
def testQueryMultipleKeys(self):
# using multiple keys is invalid and raises
# KeyError: 'Query must have only one key'
......@@ -315,6 +308,52 @@ class TestQuery(unittest.TestCase):
datetime_search_keys = [],
full_text_search_keys=[])['where_expression'])
def testQuotedStringDefaultKey(self):
q = Query(title='Foo d\'Ba')
self.assertEquals(
dict(where_expression="((((title = 'Foo d''Ba'))))",
select_expression_list=[]),
q.asSQLExpression())
def testQuotedStringKeywordKey(self):
q = Query(title='Foo d\'Ba', type='keyword')
self.assertEquals(
dict(where_expression="((((title LIKE '%Foo d''Ba%'))))",
select_expression_list=[]),
q.asSQLExpression())
def testQuotedStringFullTextKey(self):
q = Query(title='Foo d\'Ba', type='fulltext')
self.assertEquals(
dict(where_expression="MATCH title AGAINST ('Foo d''Ba' )",
select_expression_list=["MATCH title AGAINST ('Foo d''Ba' )"
" AS title_relevance"]),
q.asSQLExpression())
def testQuotedStringDateKey(self):
q = Query(title='Foo d\'Ba', type='date')
self.assertEquals(
# I don't know exactly what we should expect here.
dict(where_expression="1",
select_expression_list=[]),
q.asSQLExpression())
def testQuotedStringFloatKey(self):
q = Query(title='Foo d\'Ba', type='float')
self.assertEquals(
# I don't know exactly what we should expect here.
# At least it's safe.
dict(where_expression="1",
select_expression_list=[]),
q.asSQLExpression())
def testQuotedStringIntKey(self):
q = Query(title='Foo d\'Ba', type='int')
self.assertEquals(
dict(where_expression="((((title = 'Foo d''Ba'))))",
select_expression_list=[]),
q.asSQLExpression())
def test_suite():
suite = unittest.TestSuite()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7