From 2c4cb76ab3b3b9999e6f553e7a2d290b0b3c1ffa Mon Sep 17 00:00:00 2001 From: scottmk Date: Thu, 10 Jun 2010 20:10:42 +0000 Subject: [PATCH] When looking up a bind variable by name: escape any special characters in the name before building the query. M Open-ILS/src/c-apps/oils_storedq.c git-svn-id: svn://svn.open-ils.org/ILS/trunk@16666 dcc99617-32d9-48b4-a31d-7c20da2025e4 --- Open-ILS/src/c-apps/oils_storedq.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_storedq.c b/Open-ILS/src/c-apps/oils_storedq.c index c39c3e2d75..6cf41d5057 100644 --- a/Open-ILS/src/c-apps/oils_storedq.c +++ b/Open-ILS/src/c-apps/oils_storedq.c @@ -1011,10 +1011,19 @@ static BindVar* getBindVar( BuildSQLState* state, const char* name ) { return bind; // Already loaded it... } - // Load a BindVar from the Database. + // Load a BindVar from the Database.(after escaping any special characters) + char* esc_str = strdup( name ); + dbi_conn_quote_string( state->dbhandle, &esc_str ); + if( !esc_str ) { + osrfLogError( OSRF_LOG_MARK, sqlAddMsg( state, + "Unable to format bind variable name \"%s\"", name )); + state->error = 1; + return NULL; + } dbi_result result = dbi_conn_queryf( state->dbhandle, "SELECT name, type, description, default_value, label " - "FROM query.bind_variable WHERE name = \'%s\';", name ); + "FROM query.bind_variable WHERE name = %s;", esc_str ); + free( esc_str ); if( result ) { if( dbi_result_first_row( result ) ) { bind = constructBindVar( state, result ); -- 2.43.2