ticket: 27309; use dbh->quote

Sorry, I shouldn't have missed this. I've gotten used to using either DBIx::Class to construct queries for me or using whole prepared statements, which handle the quoting automagically. I've gotten out of practice with SQL created piecemeal.
author: David Houghton <houghton@freeside.biz> 2014-09-10 16:54:37 -0400
committer: Ivan Kohler <ivan@freeside.biz> 2014-09-11 15:57:11 -0700
commit: 458aa5523d0bf2ed829b42295ab482768fbae64e (patch)
tree: cbdcdd8ffdfc88249626259237bb5a6558f8ec1f
parent: 6039166baf177b99594832363a955d6d70b4037a (diff)
1 files changed, 3 insertions, 5 deletions
diff --git a/httemplate/search/cdr.html b/httemplate/search/cdr.html
index 10b386383..778799b1f 100644
--- a/httemplate/search/cdr.html
+++ b/httemplate/search/cdr.html
@@ -264,11 +264,9 @@ if ( $cgi->param('acctid') =~ /\d/ ) {
 if ( $cgi->param('accountcode') =~ /\S/ ) {
   my $accountcode = $cgi->param('accountcode');
   my @accountcode = map {
-    ( my $v = $_ ) =~ s/^\s+|\s+$//g;
-    if ( $v =~ /'/ ) { $v =~ s/'/\\'/g; $v = "E'$v'" }
-    elsif ( length $v ) { $v = "'$v'" }
-    length $v ? $v : ()
-  } grep /\S/, split /\R/, $accountcode;
+    ( my $v = $_ ) =~ s/^\s+|\s+$//g;    # trim margin whitespace
+    length $v ? dbh->quote($v) : ()
+  } grep /\S/, split /\R/, $accountcode;    # collect non-trivial lines
   if (@accountcode) {
     my $search = 'accountcode IN ( ' . join( ',', @accountcode ) . ' )';
     push @qsearch, $search;
author	David Houghton <houghton@freeside.biz>	2014-09-10 16:54:37 -0400
committer	Ivan Kohler <ivan@freeside.biz>	2014-09-11 15:57:11 -0700
commit	458aa5523d0bf2ed829b42295ab482768fbae64e (patch)
tree	cbdcdd8ffdfc88249626259237bb5a6558f8ec1f
parent	6039166baf177b99594832363a955d6d70b4037a (diff)