Postgres: escape quotes in field values

wonder · wonder · commit f87c5c64e39e · 2006-12-08T19:37:33.000Z
git-svn-id: http://svn.osgeo.org/qgis/trunk/qgis@6215 c8812cc2-4d05-0410-92ff-de0c093fc19c
diff --git a/src/providers/postgres/qgspostgresprovider.cpp b/src/providers/postgres/qgspostgresprovider.cpp
@@ -1741,6 +1741,10 @@ bool QgsPostgresProvider::addFeature(QgsFeature* f, int primaryKeyHighWater)
         {
           insert+="'";
         }
+        
+        // important: escape quotes in field value
+        fieldvalue.replace("'", "''");
+        
         insert+=fieldvalue;
         if(charactertype)
         {
@@ -1995,7 +1999,12 @@ bool QgsPostgresProvider::changeAttributeValues(std::map<int,std::map<QString,QS
   {
     for(std::map<QString,QString>::const_iterator siter=(*iter).second.begin();siter!=(*iter).second.end();++siter)
     {
-      QString sql="UPDATE "+mSchemaTableName+" SET "+(*siter).first+"='"+(*siter).second+"' WHERE \"" +primaryKey+"\"="+QString::number((*iter).first);
+      QString val = (*siter).second;
+      
+      // escape quotes
+      val.replace("'", "''");
+      
+      QString sql="UPDATE "+mSchemaTableName+" SET "+(*siter).first+"='"+val+"' WHERE \"" +primaryKey+"\"="+QString::number((*iter).first);
       QgsDebugMsg(sql);
 
       // s end sql statement and do error handling

Original file line number	Diff line number	Diff line change
`@@ -1741,6 +1741,10 @@ bool QgsPostgresProvider::addFeature(QgsFeature* f, int primaryKeyHighWater)`
`1741`	`1741`	`{`
`1742`	`1742`	`insert+="'";`
`1743`	`1743`	`}`
	`1744`	`+`
	`1745`	`+ // important: escape quotes in field value`
	`1746`	`+ fieldvalue.replace("'", "''");`
	`1747`	`+`
`1744`	`1748`	`insert+=fieldvalue;`
`1745`	`1749`	`if(charactertype)`
`1746`	`1750`	`{`
`@@ -1995,7 +1999,12 @@ bool QgsPostgresProvider::changeAttributeValues(std::map<int,std::map<QString,QS`
`1995`	`1999`	`{`
`1996`	`2000`	`for(std::map<QString,QString>::const_iterator siter=(iter).second.begin();siter!=(iter).second.end();++siter)`
`1997`	`2001`	`{`
`1998`		`- QString sql="UPDATE "+mSchemaTableName+" SET "+(siter).first+"='"+(siter).second+"' WHERE \"" +primaryKey+"\"="+QString::number((*iter).first);`
	`2002`	`+ QString val = (*siter).second;`
	`2003`	`+`
	`2004`	`+ // escape quotes`
	`2005`	`+ val.replace("'", "''");`
	`2006`	`+`
	`2007`	`+ QString sql="UPDATE "+mSchemaTableName+" SET "+(siter).first+"='"+val+"' WHERE \"" +primaryKey+"\"="+QString::number((iter).first);`
`1999`	`2008`	`QgsDebugMsg(sql);`
`2000`	`2009`
`2001`	`2010`	`// s end sql statement and do error handling`