Commit 974a81d4 authored by Yoshinori Okuji's avatar Yoshinori Okuji

Make sure that value_item is a string before applying sql_quote.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@4106 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent a4c152fe
...@@ -1421,17 +1421,17 @@ class Catalog(Folder, Persistent, Acquisition.Implicit, ExtensionClass.Base): ...@@ -1421,17 +1421,17 @@ class Catalog(Folder, Persistent, Acquisition.Implicit, ExtensionClass.Base):
query_item += ["%s = %s" % (key, value_item)] query_item += ["%s = %s" % (key, value_item)]
else: else:
# For security. # For security.
value_item = sql_quote(value_item) value_item = sql_quote(str(value_item))
if '%' in value_item: if '%' in value_item:
query_item += ["%s LIKE '%s'" % (key, str(value_item))] query_item += ["%s LIKE '%s'" % (key, value_item)]
elif key in keyword_search_keys: elif key in keyword_search_keys:
# We must add % in the request to simulate the catalog # We must add % in the request to simulate the catalog
query_item += ["%s LIKE '%%%s%%'" % (key, str(value_item))] query_item += ["%s LIKE '%%%s%%'" % (key, value_item)]
elif key in full_text_search_keys: elif key in full_text_search_keys:
# We must add % in the request to simulate the catalog # We must add % in the request to simulate the catalog
query_item += ["MATCH %s AGAINST ('%s')" % (key, value)] query_item += ["MATCH %s AGAINST ('%s')" % (key, value)]
else: else:
query_item += ["%s = '%s'" % (key, str(value_item))] query_item += ["%s = '%s'" % (key, value_item)]
if len(query_item) > 0: if len(query_item) > 0:
where_expression += ['(%s)' % join(query_item, ' OR ')] where_expression += ['(%s)' % join(query_item, ' OR ')]
elif type(value) is type({}): elif type(value) is type({}):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment