[Dovecot] escaping in sqlite

Matthias Andree matthias.andree at gmx.de
Sun Jun 25 20:27:27 EEST 2006


Jakob Hirsch <jh at plonk.de> writes:

> a recent change in the sql drivers introduced escaping, but sqlite is a
> different in this aspect: You cannot escape with a backslash, the only
> character that needs escaping is the quoting character itself (by
> doubling it, as the SQL standard says). As the escaping function does
> not know which quote character is used, one should only use the single
> tick ' (again, as the SQL standard says) and the escaping function
> double any single quote in the string. (untested) patch for the latter
> attached.

How about just using sqlite_mprintf with %q? It includes malloc() and
does proper SQL escaping.
See <http://www.sqlite.org/capi3ref.html#sqlite3_mprintf>

-- 
Matthias Andree


More information about the dovecot mailing list