Hi Timo&all, a recent change in the sql drivers introduced escaping, but sqlite is a different in this aspect: You cannot escape with a backslash, the only character that needs escaping is the quoting character itself (by doubling it, as the SQL standard says). As the escaping function does not know which quote character is used, one should only use the single tick ' (again, as the SQL standard says) and the escaping function double any single quote in the string. (untested) patch for the latter attached. Index: dovecot/src/lib-sql/driver-sqlite.c =================================================================== RCS file: /home/cvs/dovecot/src/lib-sql/driver-sqlite.c,v retrieving revision 1.5.2.1 diff -u -r1.5.2.1 driver-sqlite.c --- dovecot/src/lib-sql/driver-sqlite.c 31 May 2006 11:02:45 -0000 1.5.2.1 +++ dovecot/src/lib-sql/driver-sqlite.c 25 Jun 2006 12:53:48 -0000 @@ -92,7 +92,24 @@ static char *driver_sqlite_escape_string(struct sql_db *_db __attr_unused__, const char *string) { - return t_strdup_noconst(str_escape(string)); + size_t newlen = 0; + char *c, *newstr; + + /* check if escaping is needed */ + if (index(string, '\'') == NULL) + return string; + + /* escape ' */ + newstr = t_buffer_get(strlen(string) * 2 + 1); + for (c=string; *c != '\0'; ++c) { + newstr[newlen++] = *c; + if (*c == '\'') + newstr[newlen++] = *c; + } + newstr[newlen] = '\0'; + t_buffer_alloc(newlen + 1); + + return newstr; } static void driver_sqlite_exec(struct sql_db *_db, const char *query)
Jakob Hirsch jh@plonk.de writes:
a recent change in the sql drivers introduced escaping, but sqlite is a different in this aspect: You cannot escape with a backslash, the only character that needs escaping is the quoting character itself (by doubling it, as the SQL standard says). As the escaping function does not know which quote character is used, one should only use the single tick ' (again, as the SQL standard says) and the escaping function double any single quote in the string. (untested) patch for the latter attached.
How about just using sqlite_mprintf with %q? It includes malloc() and does proper SQL escaping. See http://www.sqlite.org/capi3ref.html#sqlite3_mprintf
-- Matthias Andree
Quoting Matthias Andree:
How about just using sqlite_mprintf with %q? It includes malloc() and does proper SQL escaping.
I thought about it, but the reference says "The strings returned by these routines should be freed by calling sqlite3_free()", not a plain free(), so we'd require an additional strdup. But the main reason is the avoidance of a heavy-weight printf-substitute (don't know how optimized it is, though). Would be different, if we'd use it to escape a whole query, e.g. SELECT something FROM somewhere WHERE bla='%q' AND blub='%q'
participants (2)
-
Jakob Hirsch
-
Matthias Andree