From b38b33fd04fe6eeb1aafbc7d1576574c7b81b284 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 20 Dec 2002 03:01:01 +0000 Subject: [PATCH] replace the use of StringUtil.quote(String) with StringUtil.JDBCescapeStringLiteral(String) to better escape single quotes and other JDBC stuff --- source/mir/storage/Database.java | 10 +++------- source/mircoders/module/ModuleContent.java | 7 +++++-- source/mircoders/storage/DatabaseLinksImcs.java | 8 ++++---- 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/source/mir/storage/Database.java b/source/mir/storage/Database.java index a5719089..081a0029 100755 --- a/source/mir/storage/Database.java +++ b/source/mir/storage/Database.java @@ -55,7 +55,7 @@ import mir.misc.*; * Treiber, Host, User und Passwort, ueber den der Zugriff auf die * Datenbank erfolgt. * - * @version $Revision: 1.21.2.3 $ $Date: 2002/12/10 09:05:07 $ + * @version $Revision: 1.21.2.4 $ $Date: 2002/12/20 03:01:01 $ * @author $Author: mh $ * */ @@ -282,13 +282,9 @@ public class Database implements StorageObject { break; case java.sql.Types.CHAR:case java.sql.Types.VARCHAR:case java.sql.Types.LONGVARCHAR: outValue = rs.getString(valueIndex); - //if (outValue != null) - //outValue = StringUtil.encodeHtml(StringUtil.unquote(outValue)); break; case java.sql.Types.LONGVARBINARY: outValue = rs.getString(valueIndex); - //if (outValue != null) - //outValue = StringUtil.encodeHtml(StringUtil.unquote(outValue)); break; case java.sql.Types.TIMESTAMP: // it's important to use Timestamp here as getting it @@ -698,7 +694,7 @@ public class Database implements StorageObject { } else { if (theEntity.hasValueForField(aField)) { - aValue = "'" + StringUtil.quote((String)theEntity.getValue(aField)) + aValue = "'" + StringUtil.JDBCescapeStringLiteral((String)theEntity.getValue(aField)) + "'"; } } @@ -801,7 +797,7 @@ public class Database implements StorageObject { else { firstField = false; } - fv.append(aField).append("='").append(StringUtil.quote((String)theEntity.getValue(aField))).append("'"); + fv.append(aField).append("='").append(StringUtil.JDBCescapeStringLiteral((String)theEntity.getValue(aField))).append("'"); } } } diff --git a/source/mircoders/module/ModuleContent.java b/source/mircoders/module/ModuleContent.java index 4f41b5c0..dff406e3 100755 --- a/source/mircoders/module/ModuleContent.java +++ b/source/mircoders/module/ModuleContent.java @@ -49,11 +49,14 @@ import mircoders.storage.*; /* * ContentObjekt - * - * @version $Id: ModuleContent.java,v 1.7.4.3 2002/11/01 05:38:20 mh Exp $ + * @version $Id: ModuleContent.java,v 1.7.4.4 2002/12/20 03:01:01 mh Exp $ * * @author RK * * $Log: ModuleContent.java,v $ + * Revision 1.7.4.4 2002/12/20 03:01:01 mh + * replace the use of StringUtil.quote(String) with StringUtil.JDBCescapeStringLiteral(String) to better escape single quotes and other JDBC stuff + * * Revision 1.7.4.3 2002/11/01 05:38:20 mh * Converted media Interface to use streams (Java IO) instead of byte buffers of * the entire uplaoded files. These saves loads of unecessary memory use. JAI @@ -172,7 +175,7 @@ public class ModuleContent extends AbstractModule public EntityList getContentByField(String aField, String aValue, String orderBy, int offset, EntityUsers user) throws ModuleException { - String whereClause = "lower("+aField + ") like lower('%" + StringUtil.quote(aValue) + "%')"; + String whereClause = "lower("+aField + ") like lower('%" + StringUtil.JDBCescapeStringLiteral(aValue) + "%')"; return getContent(whereClause, orderBy, offset, user); } diff --git a/source/mircoders/storage/DatabaseLinksImcs.java b/source/mircoders/storage/DatabaseLinksImcs.java index 7290782e..0f7597c9 100755 --- a/source/mircoders/storage/DatabaseLinksImcs.java +++ b/source/mircoders/storage/DatabaseLinksImcs.java @@ -114,9 +114,9 @@ public class DatabaseLinksImcs extends Database else { if (theEntityValues.containsKey(aField)) { if (aField.equals("to_parent_id")) { - aValue = StringUtil.quote((String)theEntityValues.get(aField)); + aValue = StringUtil.JDBCescapeStringLiteral((String)theEntityValues.get(aField)); } else { - aValue = "'" + StringUtil.quote((String)theEntityValues.get(aField)) + "'"; + aValue = "'" + StringUtil.JDBCescapeStringLiteral((String)theEntityValues.get(aField)) + "'"; } } } @@ -192,9 +192,9 @@ public class DatabaseLinksImcs extends Database firstField = false; } if (aField.equals("to_parent_id")) { - fv.append(aField).append("=").append(StringUtil.quote((String)theEntityValues.get(aField))); + fv.append(aField).append("=").append(StringUtil.JDBCescapeStringLiteral((String)theEntityValues.get(aField))); } else { - fv.append(aField).append("='").append(StringUtil.quote((String)theEntityValues.get(aField))).append("'"); + fv.append(aField).append("='").append(StringUtil.JDBCescapeStringLiteral((String)theEntityValues.get(aField))).append("'"); } } } -- 2.11.0