From 7c72b96b1e4df7c90a88bc4462359bda34c9878f Mon Sep 17 00:00:00 2001
From: Ludovic Marcotte <lmarcotte@inverse.ca>
Date: Thu, 25 Mar 2010 01:20:06 +0000
Subject: [PATCH] See ChangeLog

Monotone-Parent: 5cd36f9e514c2019e708362661b3ede2e8598fb8
Monotone-Revision: ae25610b2149f561f23ae34e0889a7197d4324c3

Monotone-Author: ludovic@Sophos.ca
Monotone-Date: 2010-03-25T01:20:06
Monotone-Branch: ca.inverse.sogo
---
 ChangeLog                  | 4 ++++
 SoObjects/SOGo/SQLSource.m | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index ef029e276..c94eda63e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,10 @@
 	(- _parseLine:) fixed incorrrect handling
 	of QP-encoded attributes.
 
+	* SoObjects/SOGo/SQLSource.m - we now properly
+	escape quotes for SQL parameters coming from
+	user's input.
+
 2010-03-22  Ludovic Marcotte <lmarcotte@inverse.ca>
 
 	* SoObjects/Mailer/SOGoDraftObject.m - we strip
diff --git a/SoObjects/SOGo/SQLSource.m b/SoObjects/SOGo/SQLSource.m
index 81582b27a..23172d282 100644
--- a/SoObjects/SOGo/SQLSource.m
+++ b/SoObjects/SOGo/SQLSource.m
@@ -184,6 +184,7 @@
 
   rc = NO;
 
+  _login = [_login stringByReplacingString: @"'"  withString: @"''"];
   cm = [GCSChannelManager defaultChannelManager];
   channel = [cm acquireOpenChannelForURL: _viewURL];
   if (channel)
@@ -237,6 +238,7 @@
 
   response = nil;
 
+  theID = [theID stringByReplacingString: @"'"  withString: @"''"];
   cm = [GCSChannelManager defaultChannelManager];
   channel = [cm acquireOpenChannelForURL: _viewURL];
   if (channel)
@@ -348,6 +350,8 @@
   if (channel)
     {
       lowerFilter = [filter lowercaseString];
+      lowerFilter = [lowerFilter stringByReplacingString: @"'"  withString: @"''"];
+
       sql = [NSString stringWithFormat: (@"SELECT *"
                                          @" FROM %@"
                                          @" WHERE LOWER(c_cn) LIKE '%%%@%%'"