Fix [2893220] - InfoGeneral does not escape quotes

https://sourceforge.net/tracker/?func=detail&atid=879332&aid=2893220&group_id=176962 Thanks to Angelo Dabala (genied)
2009-11-06 13:47:39 +00:00 · 2009-11-06 13:47:39 +00:00 · edf1aa2eff
parent 93b430033e
commit edf1aa2eff
1 changed files with 25 additions and 7 deletions
--- a/client/src/org/compiere/apps/search/InfoGeneral.java
+++ b/client/src/org/compiere/apps/search/InfoGeneral.java
@ -304,7 +304,7 @@ public class InfoGeneral extends Info
 					columnSql = columnName;
 				//  Default
 				StringBuffer colSql = new StringBuffer(columnSql);
-				Class colClass = null;
+				Class<?> colClass = null;
 				//
 				if (isKey)
 					colClass = IDColumn.class;
@ -402,15 +402,25 @@ public class InfoGeneral extends Info
 	{
 		if (!(value.equals("") || value.equals("%")) && index < m_queryColumns.size())
 		{
-			sql.append(" AND UPPER(").append(m_queryColumnsSql.get(index).toString()).append(") LIKE '");
-			sql.append(value);
-			if (value.endsWith("%"))
-				sql.append("'");
-			else
-				sql.append("%'");
+			// Angelo Dabala' (genied) nectosoft: [2893220] avoid to append string parameters directly because of special chars like quote(s)
+			sql.append(" AND UPPER(").append(m_queryColumnsSql.get(index).toString()).append(") LIKE ?");
 		}
 	}	//	addSQLWhere

+	/**
+	 *  Get SQL WHERE parameter
+	 *  @param f field
+	 *  @return sql part
+	 */
+	private String getSQLText (CTextField f)
+	{
+		String s = f.getText().toUpperCase();
+		if (!s.endsWith("%"))
+			s += "%";
+		log.fine( "String=" + s);
+		return s;
+	}   //  getSQLText
+
 	/**
 	 *  Set Parameters for Query.
 	 *  (as defined in getSQLWhere)
@ -421,6 +431,14 @@ public class InfoGeneral extends Info
 	protected void setParameters(PreparedStatement pstmt, boolean forCount) throws SQLException
 	{
 		int index = 1;
+		if (textField1.getText().length() > 0)
+			pstmt.setString(index++, getSQLText(textField1));
+		if (textField2.getText().length() > 0)
+			pstmt.setString(index++, getSQLText(textField2));
+		if (textField3.getText().length() > 0)
+			pstmt.setString(index++, getSQLText(textField3));
+		if (textField4.getText().length() > 0)
+			pstmt.setString(index++, getSQLText(textField4));
 	}   //  setParameters

 }	//	InfoGeneral