[Dovecot] escaping in sqlite

Jakob Hirsch jh at plonk.de
Mon Jun 26 00:39:47 EEST 2006


Quoting Matthias Andree:

> How about just using sqlite_mprintf with %q? It includes malloc() and
> does proper SQL escaping.

I thought about it, but the reference says "The strings returned by
these routines should be freed by calling sqlite3_free()", not a plain
free(), so we'd require an additional strdup. But the main reason is the
avoidance of a heavy-weight printf-substitute (don't know how optimized
it is, though). Would be different, if we'd use it to escape a whole
query, e.g. SELECT something FROM somewhere WHERE bla='%q' AND blub='%q'






More information about the dovecot mailing list