Commit 39c4873a authored by Vincent Pelletier's avatar Vincent Pelletier

EP5Type.Utils: Update SQL escaping rules.

Sadly, we still implement our own escaping, as places escaping strings do
not know which connector will be used (proper escaping is
connector-dependent, because database-dependent).
Move this method in ZSQLCatalog to factorise code.
parent 63c3da2b
...@@ -49,7 +49,7 @@ from MethodObject import Method ...@@ -49,7 +49,7 @@ from MethodObject import Method
from Products.ERP5Security import mergedLocalRoles from Products.ERP5Security import mergedLocalRoles
from Products.ERP5Security.ERP5UserManager import SUPER_USER from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products.ERP5Type.Utils import sqlquote from Products.ZSQLCatalog.Utils import sqlquote
import warnings import warnings
from zLOG import LOG, PROBLEM, WARNING, INFO from zLOG import LOG, PROBLEM, WARNING, INFO
......
...@@ -1489,28 +1489,6 @@ def mergeZRDBResults(results, key_column, edit_result): ...@@ -1489,28 +1489,6 @@ def mergeZRDBResults(results, key_column, edit_result):
for row in data for row in data
])) ]))
#####################################################
# SQL text escaping
#####################################################
def sqlquote(x):
"""
Escape data suitable for inclusion in generated ANSI SQL92 code for
cases where bound variables are not suitable.
Inspired from zope/app/rdb/__init__.py:sqlquote, modified to:
- use isinstance instead of type equality
- use string member methods instead of string module
"""
if isinstance(x, basestring):
x = "'" + x.replace('\\', '\\\\').replace("'", "''") + "'"
elif isinstance(x, (int, long, float)):
pass
elif x is None:
x = 'NULL'
else:
raise TypeError, 'do not know how to handle type %s' % type(x)
return x
##################################################### #####################################################
# Hashing # Hashing
##################################################### #####################################################
......
...@@ -30,13 +30,10 @@ ...@@ -30,13 +30,10 @@
from zLOG import LOG from zLOG import LOG
from Products.ZSQLCatalog.interfaces.operator import IOperator from Products.ZSQLCatalog.interfaces.operator import IOperator
from Products.ZSQLCatalog.Utils import sqlquote as escapeString
from zope.interface.verify import verifyClass from zope.interface.verify import verifyClass
from zope.interface import implements from zope.interface import implements
def escapeString(value):
# Inspired from ERP5Type/Utils:sqlquote, but this product must not depend on it.
return "'" + value.replace('\\', '\\\\').replace("'", "''") + "'"
def valueFloatRenderer(value): def valueFloatRenderer(value):
if isinstance(value, basestring): if isinstance(value, basestring):
value = float(value.replace(' ', '')) value = float(value.replace(' ', ''))
......
##############################################################################
#
# Copyright (c) 2015 Nexedi SA and Contributors. All Rights Reserved.
#
# WARNING: This program as such is intended to be used by professional
# programmers who take the whole responsability of assessing all potential
# consequences resulting from its eventual inadequacies and bugs
# End users who are looking for a ready-to-use solution with commercial
# garantees and support are strongly adviced to contract a Free Software
# Service Company
#
# This program is Free Software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
##############################################################################
def sqlquote(value):
# See MySQL documentation of string literals.
# XXX: should use sql_quote__ on actual connector
# (ex: ZMySQLDA.DA.Connection.sql_quote__).
# Duplicating such code is error-prone, and makes us rely on a specific SQL
# dialect...
return "'" + (value
.replace('\x5c', r'\\')
.replace('\x00', r'\0')
.replace('\x08', r'\b')
.replace('\x09', r'\t')
.replace('\x0a', r'\n')
.replace('\x0d', r'\r')
.replace('\x1a', r'\Z')
.replace('\x22', r'\"')
.replace('\x27', r"\'")
) + "'"
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment