ticket: 27309; use dbh->quote

Sorry, I shouldn't have missed this. I've gotten used to using either
DBIx::Class to construct queries for me or using whole prepared statements,
which handle the quoting automagically.  I've gotten out of practice with
SQL created piecemeal.

diff --git a/httemplate/search/cdr.html b/httemplate/search/cdr.html
index 10b3863..778799b 100644 (file)
--- a/httemplate/search/cdr.html
+++ b/httemplate/search/cdr.html
@@ -264,11 +264,9 @@ if ( $cgi->param('acctid') =~ /\d/ ) {
 if ( $cgi->param('accountcode') =~ /\S/ ) {
   my $accountcode = $cgi->param('accountcode');
   my @accountcode = map {
-    ( my $v = $_ ) =~ s/^\s+|\s+$//g;
-    if ( $v =~ /'/ ) { $v =~ s/'/\\'/g; $v = "E'$v'" }
-    elsif ( length $v ) { $v = "'$v'" }
-    length $v ? $v : ()
-  } grep /\S/, split /\R/, $accountcode;
+    ( my $v = $_ ) =~ s/^\s+|\s+$//g;    # trim margin whitespace
+    length $v ? dbh->quote($v) : ()
+  } grep /\S/, split /\R/, $accountcode;    # collect non-trivial lines
   if (@accountcode) {
     my $search = 'accountcode IN ( ' . join( ',', @accountcode ) . ' )';
     push @qsearch, $search;