[Dovecot] escaping in sqlite
Jakob Hirsch
jh at plonk.de
Mon Jun 26 00:39:47 EEST 2006
Quoting Matthias Andree:
> How about just using sqlite_mprintf with %q? It includes malloc() and
> does proper SQL escaping.
I thought about it, but the reference says "The strings returned by
these routines should be freed by calling sqlite3_free()", not a plain
free(), so we'd require an additional strdup. But the main reason is the
avoidance of a heavy-weight printf-substitute (don't know how optimized
it is, though). Would be different, if we'd use it to escape a whole
query, e.g. SELECT something FROM somewhere WHERE bla='%q' AND blub='%q'
More information about the dovecot
mailing list