Depend on DocumentTemplate 3.1+ to do SQL quoting.

zopefoundation · Jan 31, 2020 · 6a65ab1 · 6a65ab1
1 parent 2023a72
commit 6a65ab1
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 5 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,6 +4,8 @@ Changelog
 3.0.11 (unreleased)
 -------------------
 
+- Depend on ``DocumentTemplate`` 3.1+ to do SQL quoting.
+
 
 3.0.10 (2020-01-29)
 -------------------

diff --git a/setup.py b/setup.py
@@ -65,7 +65,7 @@
         'Zope >= 4.0b5',
         'Missing',
         'Record',
-        'DocumentTemplate >= 3.0b7',
+        'DocumentTemplate >= 3.1',
     ],
     include_package_data=True,
     zip_safe=False,

diff --git a/src/Shared/DC/ZRDB/Connection.py b/src/Shared/DC/ZRDB/Connection.py
@@ -32,6 +32,7 @@
 from App.special_dtml import DTMLFile
 from DateTime.DateTime import DateTime
 from DocumentTemplate import HTML
+from DocumentTemplate.DT_Var import sql_quote
 from OFS.role import RoleManager
 from OFS.SimpleItem import Item
 from Persistence import Persistent
@@ -210,10 +211,7 @@ def connect(self, s):
         return self
 
     def sql_quote__(self, v):
-        if v.find("'") >= 0:
-            v = "''".join(v.split("'"))
-        if v.find('\x00') >= 0:
-            v = ''.join(v.split('\x00'))
+        v = sql_quote(v)
         return "'%s'" % v
 
 

diff --git a/src/Shared/DC/ZRDB/tests/test_connection.py b/src/Shared/DC/ZRDB/tests/test_connection.py
@@ -49,12 +49,40 @@ def test_sql_quote___embedded_apostrophe(self):
         self.assertEqual(conn.sql_quote__(TO_QUOTE),
                          "'w''embedded apostrophe'")
 
+    def test_sql_quote___embedded_backslash(self):
+        TO_QUOTE = "embedded \\backslash"
+        conn = self._makeOne('conn', '', 'conn string')
+        self.assertEqual(conn.sql_quote__(TO_QUOTE),
+                         "'embedded \\\\backslash'")
+        # Show for good measure that the seeming four backslashes
+        # are really two, when you look at the raw string.
+        self.assertEqual(conn.sql_quote__(TO_QUOTE),
+                         r"'embedded \\backslash'")
+
+    def test_sql_quote___embedded_double_quote(self):
+        TO_QUOTE = 'embedded "double quote'
+        conn = self._makeOne('conn', '', 'conn string')
+        self.assertEqual(conn.sql_quote__(TO_QUOTE),
+                         "'embedded \"double quote'")
+
     def test_sql_quote___embedded_null(self):
         TO_QUOTE = "w'embedded apostrophe and \x00null"
         conn = self._makeOne('conn', '', 'conn string')
         self.assertEqual(conn.sql_quote__(TO_QUOTE),
                          "'w''embedded apostrophe and null'")
 
+        # This is another version of a nul character.
+        TO_QUOTE = "embedded other \x1anull"
+        conn = self._makeOne('conn', '', 'conn string')
+        self.assertEqual(conn.sql_quote__(TO_QUOTE),
+                         "'embedded other null'")
+
+    def test_sql_quote___embedded_carriage_return(self):
+        TO_QUOTE = "w'embedded carriage\rreturn"
+        conn = self._makeOne('conn', '', 'conn string')
+        self.assertEqual(conn.sql_quote__(TO_QUOTE),
+                         "'embedded carriagereturn'")
+
 
 def test_suite():
     suite = unittest.TestSuite()