From a193de015210c724601a7b621eafb58b6de62f03 Mon Sep 17 00:00:00 2001
From: teo_sarca <devnull@localhost>
Date: Fri, 23 Mar 2007 15:39:19 +0000
Subject: [PATCH] [ 1686876 ] ValuePreference class: SQL Injection
 http://sourceforge.net/tracker/index.php?func=detail&aid=1686876&group_id=176962&atid=879332

---
 client/src/org/compiere/grid/ed/ValuePreference.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/src/org/compiere/grid/ed/ValuePreference.java b/client/src/org/compiere/grid/ed/ValuePreference.java
index 01fb8e0f50..3fc8ff57ed 100644
--- a/client/src/org/compiere/grid/ed/ValuePreference.java
+++ b/client/src/org/compiere/grid/ed/ValuePreference.java
@@ -475,7 +475,7 @@ public class ValuePreference extends CDialog
 		else
 			sql.append("NULL,");
 		//
-		sql.append("'").append(m_Attribute).append("','").append(m_Value).append("')");
+		sql.append(DB.TO_STRING(m_Attribute)).append(",").append(DB.TO_STRING(m_Value)).append(")");
 		//
 		log.fine( sql.toString());
 		no = DB.executeUpdate(sql.toString(), null);