From 4a5029f089a2d52c609b81a627f5b067ed3f413c Mon Sep 17 00:00:00 2001 From: Vincent Pelletier <vincent@nexedi.com> Date: Thu, 18 Dec 2008 13:16:27 +0000 Subject: [PATCH] Use a better sql escaping method. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@24940 20353a03-c40f-0410-a6d1-a30d3c3de9de --- product/ERP5Catalog/CatalogTool.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/product/ERP5Catalog/CatalogTool.py b/product/ERP5Catalog/CatalogTool.py index d01ca5049f..044fb26de4 100644 --- a/product/ERP5Catalog/CatalogTool.py +++ b/product/ERP5Catalog/CatalogTool.py @@ -50,7 +50,7 @@ from Products.PageTemplates.Expressions import getEngine from MethodObject import Method from Products.ERP5Security.ERP5UserManager import SUPER_USER -from DocumentTemplate.DT_Var import sql_quote +from Products.ERP5Type.Utils import sqlquote import os, time, urllib, warnings import sys @@ -565,7 +565,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject): else: # XXX: What with this string transformation ?! Souldn't it be done in # dtml instead ? - allowedRolesAndUsers = ["'%s'" % (sql_quote(role), ) for role in allowedRolesAndUsers] + allowedRolesAndUsers = [sqlquote(role) for role in allowedRolesAndUsers] security_uid_list = [x.uid for x in method(security_roles_list = allowedRolesAndUsers)] security_uid_cache[cache_key] = security_uid_list else: -- 2.30.9