[LON-CAPA-cvs] cvs: loncom /interface loncoursedata.pm

matthew lon-capa-cvs@mail.lon-capa.org
Mon, 19 Jan 2004 16:31:25 -0000


matthew		Mon Jan 19 11:31:25 2004 EDT

  Modified files:              
    /loncom/interface	loncoursedata.pm 
  Log:
  Properly quote student submission data when inserting into the response
  table.
  
  
Index: loncom/interface/loncoursedata.pm
diff -u loncom/interface/loncoursedata.pm:1.111 loncom/interface/loncoursedata.pm:1.112
--- loncom/interface/loncoursedata.pm:1.111	Tue Dec 16 11:47:16 2003
+++ loncom/interface/loncoursedata.pm	Mon Jan 19 11:31:25 2004
@@ -1,6 +1,6 @@
 # The LearningOnline Network with CAPA
 #
-# $Id: loncoursedata.pm,v 1.111 2003/12/16 16:47:16 raeburn Exp $
+# $Id: loncoursedata.pm,v 1.112 2004/01/19 16:31:25 matthew Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -1278,13 +1278,21 @@
         while (my ($part_id,$hash2) = each (%$hash1)) {
             while (my ($resp_id,$hash3) = each (%$hash2)) {
                 while (my ($transaction,$data) = each (%$hash3)) {
-                    $store_command .= "('".join("','",$symb_id,$part_id,
-                                                $resp_id,$student_id,
-                                                $transaction,
-                                                $data->{'awarddetail'},
-                                                $data->{'response_specific'},
-                                                $data->{'response_specific_value'},
-                                                $data->{'submission'})."'),";
+                    my $submission = $data->{'submission'};
+                    # We have to be careful with user supplied input.
+                    # most of the time we are okay because it is escaped.
+                    # However, there is one wrinkle: submissions which end in
+                    # and odd number of '\' cause insert errors to occur.  
+                    # Best trap this somehow...
+                    $submission = $dbh->quote($submission);
+                    $store_command .= "('".
+                        join("','",$symb_id,$part_id,
+                             $resp_id,$student_id,
+                             $transaction,
+                             $data->{'awarddetail'},
+                             $data->{'response_specific'},
+                             $data->{'response_specific_value'}).
+                             "',".$submission."),";
                     $store_rows++;
                 }
             }