/ FLTGetIsLikeComparisonSQLExpression */ / Build an sql expression for IsLike filter. */ /
| 2932 | /* Build an sql expression for IsLike filter. */ |
| 2933 | /************************************************************************/ |
| 2934 | char *FLTGetIsLikeComparisonSQLExpression(FilterEncodingNode *psFilterNode, |
| 2935 | layerObj *lp) |
| 2936 | { |
| 2937 | const size_t bufferSize = 1024; |
| 2938 | char szBuffer[1024]; |
| 2939 | char *pszValue = NULL; |
| 2940 | |
| 2941 | char *pszWild = NULL; |
| 2942 | char *pszSingle = NULL; |
| 2943 | char *pszEscape = NULL; |
| 2944 | char szTmp[4]; |
| 2945 | |
| 2946 | int nLength=0, i=0, j=0; |
| 2947 | int bCaseInsensitive = 0; |
| 2948 | |
| 2949 | char *pszEscapedStr = NULL; |
| 2950 | |
| 2951 | if (!psFilterNode || !psFilterNode->pOther || !psFilterNode->psLeftNode || |
| 2952 | !psFilterNode->psRightNode || !psFilterNode->psRightNode->pszValue) |
| 2953 | return NULL; |
| 2954 | |
| 2955 | pszWild = ((FEPropertyIsLike *)psFilterNode->pOther)->pszWildCard; |
| 2956 | pszSingle = ((FEPropertyIsLike *)psFilterNode->pOther)->pszSingleChar; |
| 2957 | pszEscape = ((FEPropertyIsLike *)psFilterNode->pOther)->pszEscapeChar; |
| 2958 | bCaseInsensitive = ((FEPropertyIsLike *)psFilterNode->pOther)->bCaseInsensitive; |
| 2959 | |
| 2960 | if (!pszWild || strlen(pszWild) == 0 || |
| 2961 | !pszSingle || strlen(pszSingle) == 0 || |
| 2962 | !pszEscape || strlen(pszEscape) == 0) |
| 2963 | return NULL; |
| 2964 | |
| 2965 | if (pszEscape[0] == '\'') |
| 2966 | { |
| 2967 | /* This might be valid, but the risk of SQL injection is too high */ |
| 2968 | /* and the below code is not ready for that */ |
| 2969 | /* Someone who does this has clearly suspect intentions ! */ |
| 2970 | msSetError(MS_MISCERR, "Single quote character is not allowed as an escaping character.", |
| 2971 | "FLTGetIsLikeComparisonSQLExpression()"); |
| 2972 | return NULL; |
| 2973 | } |
| 2974 | |
| 2975 | |
| 2976 | szBuffer[0] = '\0'; |
| 2977 | /*opening bracket*/ |
| 2978 | strlcat(szBuffer, " (", bufferSize); |
| 2979 | |
| 2980 | /* attribute name */ |
| 2981 | pszEscapedStr = msLayerEscapePropertyName(lp, psFilterNode->psLeftNode->pszValue); |
| 2982 | |
| 2983 | strlcat(szBuffer, pszEscapedStr, bufferSize); |
| 2984 | msFree(pszEscapedStr); |
| 2985 | pszEscapedStr = NULL; |
| 2986 | |
| 2987 | if (bCaseInsensitive == 1 && lp->connectiontype == MS_POSTGIS) |
| 2988 | strlcat(szBuffer, " ilike '", bufferSize); |
| 2989 | else |
| 2990 | strlcat(szBuffer, " like '", bufferSize); |
| 2991 |
no test coverage detected