From 3aaa1d5206f6ee3c527b8b3e6616a4cd53520f0e Mon Sep 17 00:00:00 2001
From: Fred Gleason <fredg@paravelsystems.com>
Date: Fri, 3 Dec 2021 16:21:57 -0500
Subject: [PATCH] 2021-12-03 Fred Gleason <fredg@paravelsystems.com> 	*
 Fixed a SQL escaping bug in 'lib/export_resultsrecon.cpp'. 	* Fixed a SQL
 escaping bug in 'lib/rdlibrarymodel.cpp'. 	* Fixed a SQL escaping bug in
 'rdlibrary/rdlibrary.cpp'.

Signed-off-by: Fred Gleason <fredg@paravelsystems.com>
---
 ChangeLog                   | 4 ++++
 lib/export_resultsrecon.cpp | 2 +-
 lib/rdlibrarymodel.cpp      | 2 +-
 rdlibrary/rdlibrary.cpp     | 2 +-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index be392070..c11639f2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22593,3 +22593,7 @@
 2021-12-03 Fred Gleason <fredg@paravelsystems.com>
 	* Fixed a regression in 'RDCart::xml()' that caused a SQL error
 	to be generated.
+2021-12-03 Fred Gleason <fredg@paravelsystems.com>
+	* Fixed a SQL escaping bug in 'lib/export_resultsrecon.cpp'.
+	* Fixed a SQL escaping bug in 'lib/rdlibrarymodel.cpp'.
+	* Fixed a SQL escaping bug in 'rdlibrary/rdlibrary.cpp'.
diff --git a/lib/export_resultsrecon.cpp b/lib/export_resultsrecon.cpp
index faab66bf..7bf542fd 100644
--- a/lib/export_resultsrecon.cpp
+++ b/lib/export_resultsrecon.cpp
@@ -54,7 +54,7 @@ bool RDReport::ExportResultsReport(const QString &filename,
     "`ELR_LINES`.`ARTIST`,"+          // 06
     "`ELR_LINES`.`EXT_START_TIME` "+  // 07
     "from `ELR_LINES` left join `CART` "+
-    "on `ELR_LINES`.`CART_NUMBER`=`CART.NUMBER` where "+
+    "on `ELR_LINES`.`CART_NUMBER`=`CART`.`NUMBER` where "+
     "`SERVICE_NAME`='"+RDEscapeString(mixtable)+"' "+
     "order by `EVENT_DATETIME`";
   q=new RDSqlQuery(sql);
diff --git a/lib/rdlibrarymodel.cpp b/lib/rdlibrarymodel.cpp
index d182574d..73087b0c 100644
--- a/lib/rdlibrarymodel.cpp
+++ b/lib/rdlibrarymodel.cpp
@@ -437,7 +437,7 @@ QModelIndex RDLibraryModel::addCart(unsigned cartnum)
 
   QString sql=sqlFields()+
     "where "+
-    QString::asprintf("CART.NUMBER=%u",cartnum);
+    QString::asprintf("`CART`.`NUMBER`=%u",cartnum);
   RDSqlQuery *q=new RDSqlQuery(sql);
   if(q->first()) {
     updateRow(offset,q);
diff --git a/rdlibrary/rdlibrary.cpp b/rdlibrary/rdlibrary.cpp
index 996c9a69..bfb7a7a5 100644
--- a/rdlibrary/rdlibrary.cpp
+++ b/rdlibrary/rdlibrary.cpp
@@ -691,7 +691,7 @@ void MainWidget::notificationReceivedData(RDNotification *notify)
     unsigned cartnum=notify->id().toUInt();
     switch(notify->action()) {
     case RDNotification::AddAction:
-      and_fields.push_back(QString::asprintf("CART.NUMBER=%u",cartnum));
+      and_fields.push_back(QString::asprintf("`CART`.`NUMBER`=%u",cartnum));
       sql=QString("select ")+
 	"`CART`.`NUMBER` "+  // 00
 	"from `CART` "+