midsuit
/
core-jgi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix [2893220] - InfoGeneral does not escape quotes 

https://sourceforge.net/tracker/?func=detail&atid=879332&aid=2893220&group_id=176962
Thanks to Angelo Dabala (genied)
This commit is contained in:
Carlos Ruiz 2009-11-06 13:47:39 +00:00
parent 93b430033e
commit edf1aa2eff
1 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
client/src/org/compiere/apps/search/InfoGeneral.java
View File

@ -304,7 +304,7 @@ public class InfoGeneral extends Info
columnSql = columnName; columnSql = columnName;
// Default // Default
StringBuffer colSql = new StringBuffer(columnSql); StringBuffer colSql = new StringBuffer(columnSql);
Class colClass = null; Class<?> colClass = null;
// //
if (isKey) if (isKey)
colClass = IDColumn.class; colClass = IDColumn.class;
@ -402,15 +402,25 @@ public class InfoGeneral extends Info
{ {
if (!(value.equals("") || value.equals("%")) && index < m_queryColumns.size()) if (!(value.equals("") || value.equals("%")) && index < m_queryColumns.size())
{ {
sql.append(" AND UPPER(").append(m_queryColumnsSql.get(index).toString()).append(") LIKE '"); // Angelo Dabala' (genied) nectosoft: [2893220] avoid to append string parameters directly because of special chars like quote(s)
sql.append(value); sql.append(" AND UPPER(").append(m_queryColumnsSql.get(index).toString()).append(") LIKE ?");
if (value.endsWith("%"))
sql.append("'");
else
sql.append("%'");
} }
} // addSQLWhere } // addSQLWhere
/**
* Get SQL WHERE parameter
* @param f field
* @return sql part
*/
private String getSQLText (CTextField f)
{
String s = f.getText().toUpperCase();
if (!s.endsWith("%"))
s += "%";
log.fine( "String=" + s);
return s;
} // getSQLText
/** /**
* Set Parameters for Query. * Set Parameters for Query.
* (as defined in getSQLWhere) * (as defined in getSQLWhere)
@ -421,6 +431,14 @@ public class InfoGeneral extends Info
protected void setParameters(PreparedStatement pstmt, boolean forCount) throws SQLException protected void setParameters(PreparedStatement pstmt, boolean forCount) throws SQLException
{ {
int index = 1; int index = 1;
if (textField1.getText().length() > 0)
pstmt.setString(index++, getSQLText(textField1));
if (textField2.getText().length() > 0)
pstmt.setString(index++, getSQLText(textField2));
if (textField3.getText().length() > 0)
pstmt.setString(index++, getSQLText(textField3));
if (textField4.getText().length() > 0)
pstmt.setString(index++, getSQLText(textField4));
} // setParameters } // setParameters
} // InfoGeneral } // InfoGeneral