--- loncom/interface/loncoursedata.pm 2003/12/16 16:47:16 1.111 +++ loncom/interface/loncoursedata.pm 2004/01/19 16:31:25 1.112 @@ -1,6 +1,6 @@ # The LearningOnline Network with CAPA # -# $Id: loncoursedata.pm,v 1.111 2003/12/16 16:47:16 raeburn Exp $ +# $Id: loncoursedata.pm,v 1.112 2004/01/19 16:31:25 matthew Exp $ # # Copyright Michigan State University Board of Trustees # @@ -1278,13 +1278,21 @@ sub update_full_student_data { while (my ($part_id,$hash2) = each (%$hash1)) { while (my ($resp_id,$hash3) = each (%$hash2)) { while (my ($transaction,$data) = each (%$hash3)) { - $store_command .= "('".join("','",$symb_id,$part_id, - $resp_id,$student_id, - $transaction, - $data->{'awarddetail'}, - $data->{'response_specific'}, - $data->{'response_specific_value'}, - $data->{'submission'})."'),"; + my $submission = $data->{'submission'}; + # We have to be careful with user supplied input. + # most of the time we are okay because it is escaped. + # However, there is one wrinkle: submissions which end in + # and odd number of '\' cause insert errors to occur. + # Best trap this somehow... + $submission = $dbh->quote($submission); + $store_command .= "('". + join("','",$symb_id,$part_id, + $resp_id,$student_id, + $transaction, + $data->{'awarddetail'}, + $data->{'response_specific'}, + $data->{'response_specific_value'}). + "',".$submission."),"; $store_rows++; } }