From 6dc1b113d0a7cdf3d7b6d567728d39568f1ed982 Mon Sep 17 00:00:00 2001
From: Justin Clark-Casey (justincc)
Date: Thu, 15 May 2014 22:45:01 +0100
Subject: Escape find string in PgSQL core groups plugin

---
 OpenSim/Data/PGSQL/PGSQLGenericTableHandler.cs | 18 ++++++++++++++++++
 OpenSim/Data/PGSQL/PGSQLGroupsData.cs          | 10 +++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

(limited to 'OpenSim/Data/PGSQL')

diff --git a/OpenSim/Data/PGSQL/PGSQLGenericTableHandler.cs b/OpenSim/Data/PGSQL/PGSQLGenericTableHandler.cs
index 2151568..826c6fc 100644
--- a/OpenSim/Data/PGSQL/PGSQLGenericTableHandler.cs
+++ b/OpenSim/Data/PGSQL/PGSQLGenericTableHandler.cs
@@ -300,9 +300,27 @@ namespace OpenSim.Data.PGSQL
                         m_Realm, where);
                 cmd.Connection = conn;
                 cmd.CommandText = query;
+                //m_log.WarnFormat("[PGSQLGenericTable]: SELECT {0} WHERE {1}", m_Realm, where);
+
+                conn.Open();
+                return DoQuery(cmd);
+            }
+        }
 
+        public virtual T[] Get(string where, NpgsqlParameter parameter)
+        {
+            using (NpgsqlConnection conn = new NpgsqlConnection(m_ConnectionString))
+                using (NpgsqlCommand cmd = new NpgsqlCommand())
+            {
+
+                string query = String.Format("SELECT * FROM {0} WHERE {1}",
+                                             m_Realm, where);
+                cmd.Connection = conn;
+                cmd.CommandText = query;
                 //m_log.WarnFormat("[PGSQLGenericTable]: SELECT {0} WHERE {1}", m_Realm, where);
 
+                cmd.Parameters.Add(parameter);
+
                 conn.Open();
                 return DoQuery(cmd);
             }
diff --git a/OpenSim/Data/PGSQL/PGSQLGroupsData.cs b/OpenSim/Data/PGSQL/PGSQLGroupsData.cs
index ed75b63..15c965b 100644
--- a/OpenSim/Data/PGSQL/PGSQLGroupsData.cs
+++ b/OpenSim/Data/PGSQL/PGSQLGroupsData.cs
@@ -83,11 +83,15 @@ namespace OpenSim.Data.PGSQL
         public GroupData[] RetrieveGroups(string pattern)
         {
             if (string.IsNullOrEmpty(pattern)) // True for where clause
+            {
                 pattern = " true ORDER BY lower(\"Name\") LIMIT 100";
+                return m_Groups.Get(pattern);
+            }
             else
-                pattern = string.Format(" lower(\"Name\") LIKE lower('%{0}%') ORDER BY lower(\"Name\") LIMIT 100", pattern);
-
-            return m_Groups.Get(pattern);
+            {
+                pattern = string.Format(" lower(\"Name\") LIKE lower('%:pattern%') ORDER BY lower(\"Name\") LIMIT 100");
+                return m_Groups.Get(pattern, new NpgsqlParameter("pattern", pattern));
+            }
         }
 
         public bool DeleteGroup(UUID groupID)
-- 
cgit v1.1