From: David Houghton <houghton@freeside.biz>
Date: Wed, 10 Sep 2014 20:54:37 +0000 (-0400)
Subject: ticket: 27309; use dbh->quote
X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=commitdiff_plain;h=458aa5523d0bf2ed829b42295ab482768fbae64e

ticket: 27309; use dbh->quote

Sorry, I shouldn't have missed this. I've gotten used to using either
DBIx::Class to construct queries for me or using whole prepared statements,
which handle the quoting automagically.  I've gotten out of practice with
SQL created piecemeal.
---

diff --git a/httemplate/search/cdr.html b/httemplate/search/cdr.html
index 10b386383..778799b1f 100644
--- a/httemplate/search/cdr.html
+++ b/httemplate/search/cdr.html
@@ -264,11 +264,9 @@ if ( $cgi->param('acctid') =~ /\d/ ) {
 if ( $cgi->param('accountcode') =~ /\S/ ) {
   my $accountcode = $cgi->param('accountcode');
   my @accountcode = map {
-    ( my $v = $_ ) =~ s/^\s+|\s+$//g;
-    if ( $v =~ /'/ ) { $v =~ s/'/\\'/g; $v = "E'$v'" }
-    elsif ( length $v ) { $v = "'$v'" }
-    length $v ? $v : ()
-  } grep /\S/, split /\R/, $accountcode;
+    ( my $v = $_ ) =~ s/^\s+|\s+$//g;    # trim margin whitespace
+    length $v ? dbh->quote($v) : ()
+  } grep /\S/, split /\R/, $accountcode;    # collect non-trivial lines
   if (@accountcode) {
     my $search = 'accountcode IN ( ' . join( ',', @accountcode ) . ' )';
     push @qsearch, $search;