Hi Timo&all, a recent change in the sql drivers introduced escaping, but sqlite is a different in this aspect: You cannot escape with a backslash, the only character that needs escaping is the quoting character itself (by doubling it, as the SQL standard says). As the escaping function does not know which quote character is used, one should only use the single tick ' (again, as the SQL standard says) and the escaping function double any single quote in the string. (untested) patch for the latter attached. Index: dovecot/src/lib-sql/driver-sqlite.c =================================================================== RCS file: /home/cvs/dovecot/src/lib-sql/driver-sqlite.c,v retrieving revision 1.5.2.1 diff -u -r1.5.2.1 driver-sqlite.c --- dovecot/src/lib-sql/driver-sqlite.c 31 May 2006 11:02:45 -0000 1.5.2.1 +++ dovecot/src/lib-sql/driver-sqlite.c 25 Jun 2006 12:53:48 -0000 @@ -92,7 +92,24 @@ static char *driver_sqlite_escape_string(struct sql_db *_db __attr_unused__, const char *string) { - return t_strdup_noconst(str_escape(string)); + size_t newlen = 0; + char *c, *newstr; + + /* check if escaping is needed */ + if (index(string, '\'') == NULL) + return string; + + /* escape ' */ + newstr = t_buffer_get(strlen(string) * 2 + 1); + for (c=string; *c != '\0'; ++c) { + newstr[newlen++] = *c; + if (*c == '\'') + newstr[newlen++] = *c; + } + newstr[newlen] = '\0'; + t_buffer_alloc(newlen + 1); + + return newstr; } static void driver_sqlite_exec(struct sql_db *_db, const char *query)