Fix escaping bug.

git-svn-id: svn+ssh://svn.gnucash.org/repo/gnucash/trunk@5697 57a11ea4-9604-0410-9ed3-97b8803252fd
2025-02-25 18:55:30 -06:00 · 2001-10-19 08:37:04 +00:00 · 2001-10-19 08:37:04 +00:00 · df790e9422
commit df790e9422
parent 7192f9b6ca
2 changed files with 24 additions and 5 deletions
--- a/src/backend/postgres/checkpoint.c
+++ b/src/backend/postgres/checkpoint.c
@ -54,6 +54,7 @@

 #include "builder.h"
 #include "checkpoint.h"
+#include "escape.h"

 #include "putil.h"

@ -327,12 +328,15 @@ get_checkpoint_date_cb (PGBackend *be, PGresult *result, int j, gpointer data)
 static void
 pgendAccountGetCheckpoint (PGBackend *be, Checkpoint *chk)
 {
+   sqlEscape *escape;
   char guid_str[80], end_str[80];
   char * p;

   if (!be || !chk) return;
   ENTER("be=%p", be);

+   escape = sqlEscape_new ();
+
   guid_to_string_buff (chk->account_guid, guid_str);
   gnc_timespec_to_iso8601_buff (chk->date_end, end_str);

@ -345,12 +349,15 @@ pgendAccountGetCheckpoint (PGBackend *be, Checkpoint *chk)
                  "    WHERE accountGuid='");
   p = stpcpy (p, guid_str);
   p = stpcpy (p, "'   AND commodity='");
-   p = stpcpy (p, chk->commodity);
+   p = stpcpy (p, sqlEscapeString (escape, chk->commodity));
   p = stpcpy (p, "'   AND date_end <'");
   p = stpcpy (p, end_str);
   p = stpcpy (p, "';");
   SEND_QUERY (be,be->buff, );

+   sqlEscape_destroy (escape);
+   escape = NULL;
+
   pgendGetResults (be, get_checkpoint_cb, chk);

   /* now get the ending date of the last checkpoint,
@ -363,7 +370,7 @@ pgendAccountGetCheckpoint (PGBackend *be, Checkpoint *chk)
   p = stpcpy (p, end_str);
   p = stpcpy (p, "'   ORDER BY date_start DESC LIMIT 1;");
   SEND_QUERY (be,be->buff, );
-   
+
   /* provide default value, in case there are no checkpoints */
   chk->date_start = gnc_iso8601_to_timespec_local (CK_EARLIEST_DATE);
   pgendGetResults (be, get_checkpoint_date_cb, chk);
--- a/src/backend/postgres/price.c
+++ b/src/backend/postgres/price.c
@ -39,6 +39,8 @@
 #include "guid.h"

 #include "PostgresBackend.h"
+#include "escape.h"
+#include "price.h"
 #include "putil.h"

 static short module = MOD_BACKEND; 
@ -319,6 +321,9 @@ void
 pgendPriceLookup (Backend *bend, GNCPriceLookup *look)
 {
   PGBackend *be = (PGBackend *)bend;
+   const char * commodity_str;
+   const char * currency_str;
+   sqlEscape *escape;
   char * p;

   ENTER ("be=%p, lookup=%p", be, look);
@ -334,6 +339,11 @@ pgendPriceLookup (Backend *bend, GNCPriceLookup *look)
      return;
   }

+   escape = sqlEscape_new ();
+
+   commodity_str = gnc_commodity_get_unique_name(look->commodity);
+   currency_str  = gnc_commodity_get_unique_name(look->currency);
+
   /* don't send events  to GUI, don't accept callbacks to backend */
   gnc_engine_suspend_events();
   pgendDisable(be);
@ -342,11 +352,14 @@ pgendPriceLookup (Backend *bend, GNCPriceLookup *look)
   p = be->buff; *p = 0;
   p = stpcpy (p, "SELECT * FROM gncPrice"
                  "  WHERE commodity='");
-   p = stpcpy (p, gnc_commodity_get_unique_name(look->commodity));
+   p = stpcpy (p, sqlEscapeString (escape, commodity_str));
   p = stpcpy (p, "'  AND currency='");
-   p = stpcpy (p, gnc_commodity_get_unique_name(look->currency));
+   p = stpcpy (p, sqlEscapeString (escape, currency_str));
   p = stpcpy (p, "' ");

+   sqlEscape_destroy (escape);
+   escape = NULL;
+
   switch (look->type)
   {
      case LOOKUP_LATEST:
@ -393,7 +406,6 @@ pgendPriceLookup (Backend *bend, GNCPriceLookup *look)
   /* re-enable events */
   pgendEnable(be);
   gnc_engine_resume_events();
-
 }

 /* ============================================================= */