Address SQL injection vulnerability in SQL ORM layer
authorMike Rylander <mrylander@gmail.com>
Fri, 5 Apr 2013 05:52:16 +0000 (01:52 -0400)
committerMike Rylander <mrylander@gmail.com>
Wed, 17 Apr 2013 19:55:44 +0000 (15:55 -0400)
commit34c0a980a1a17b1d1649ede361533a9bcfc6e020
treeb9a4afce50a004fe63c7dcdc1f69dff1b99b2a44
parentbfce3c12aac881209093dbf4ce30c084329e3a19
Address SQL injection vulnerability in SQL ORM layer

If the user-supplied value and the db column are both numbers
(jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then
don't quote. Otherwise, quote.

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Dan Scott <dscott@laurentian.ca>
Signed-off-by: Mike Rylander <mrylander@gmail.com>
Open-ILS/src/c-apps/oils_sql.c