Commit a4c152fe authored by Yoshinori Okuji's avatar Yoshinori Okuji

Use sql_quote only if the value_item is a string.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@4105 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 7fda8102
...@@ -1413,8 +1413,6 @@ class Catalog(Folder, Persistent, Acquisition.Implicit, ExtensionClass.Base): ...@@ -1413,8 +1413,6 @@ class Catalog(Folder, Persistent, Acquisition.Implicit, ExtensionClass.Base):
# We have to create an OR from tuple or list # We have to create an OR from tuple or list
query_item = [] query_item = []
for value_item in value: for value_item in value:
# For security.
value_item = sql_quote(value_item)
if value_item != '': if value_item != '':
# we consider empty string as Non Significant # we consider empty string as Non Significant
# also for lists # also for lists
...@@ -1422,6 +1420,8 @@ class Catalog(Folder, Persistent, Acquisition.Implicit, ExtensionClass.Base): ...@@ -1422,6 +1420,8 @@ class Catalog(Folder, Persistent, Acquisition.Implicit, ExtensionClass.Base):
type(1991643034L)): type(1991643034L)):
query_item += ["%s = %s" % (key, value_item)] query_item += ["%s = %s" % (key, value_item)]
else: else:
# For security.
value_item = sql_quote(value_item)
if '%' in value_item: if '%' in value_item:
query_item += ["%s LIKE '%s'" % (key, str(value_item))] query_item += ["%s LIKE '%s'" % (key, str(value_item))]
elif key in keyword_search_keys: elif key in keyword_search_keys:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment