[Dovecot] escaping in sqlite

[Jakob Hirsch]

Hi Timo&all,

a recent change in the sql drivers introduced escaping, but sqlite is a
different in this aspect: You cannot escape with a backslash, the only
character that needs escaping is the quoting character itself (by
doubling it, as the SQL standard says). As the escaping function does
not know which quote character is used, one should only use the single
tick ' (again, as the SQL standard says) and the escaping function
double any single quote in the string. (untested) patch for the latter
attached.

-------------- next part --------------
Index: dovecot/src/lib-sql/driver-sqlite.c
===================================================================
RCS file: /home/cvs/dovecot/src/lib-sql/driver-sqlite.c,v
retrieving revision 1.5.2.1
diff -u -r1.5.2.1 driver-sqlite.c
--- dovecot/src/lib-sql/driver-sqlite.c	31 May 2006 11:02:45 -0000	1.5.2.1
+++ dovecot/src/lib-sql/driver-sqlite.c	25 Jun 2006 12:53:48 -0000
@@ -92,7 +92,24 @@
 static char *driver_sqlite_escape_string(struct sql_db *_db __attr_unused__,
 					 const char *string)
 {
-	return t_strdup_noconst(str_escape(string));
+	size_t newlen = 0;
+	char *c, *newstr;
+
+	/* check if escaping is needed */
+	if (index(string, '\'') == NULL)
+		return string;
+
+	/* escape ' */
+	newstr = t_buffer_get(strlen(string) * 2 + 1);
+	for (c=string; *c != '\0'; ++c) {
+		newstr[newlen++] = *c;
+		if (*c == '\'')
+			newstr[newlen++] = *c;
+	}
+	newstr[newlen] = '\0';
+	t_buffer_alloc(newlen + 1);
+
+	return newstr;
 }

 static void driver_sqlite_exec(struct sql_db *_db, const char *query)