Use a better sql escaping method.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@24940 20353a03-c40f-0410-a6d1-a30d3c3de9de

product/ERP5Catalog/CatalogTool.py

@@ -50,7 +50,7 @@ from Products.PageTemplates.Expressions import getEngine
 from MethodObject import Method
 
 from Products.ERP5Security.ERP5UserManager import SUPER_USER
-from DocumentTemplate.DT_Var import sql_quote
+from Products.ERP5Type.Utils import sqlquote
 
 import os, time, urllib, warnings
 import sys
@@ -565,7 +565,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
           else:
             # XXX: What with this string transformation ?! Souldn't it be done in
             # dtml instead ?
-            allowedRolesAndUsers = ["'%s'" % (sql_quote(role), ) for role in allowedRolesAndUsers]
+            allowedRolesAndUsers = [sqlquote(role) for role in allowedRolesAndUsers]
             security_uid_list = [x.uid for x in method(security_roles_list = allowedRolesAndUsers)]
           security_uid_cache[cache_key] = security_uid_list
       else: