lib-sql: driver-sqlite - Use sqlite3_snprintf() to quote values

author Aki Tuomi <aki.tuomi@open-xchange.com>

Fri, 7 Nov 2025 07:21:01 +0000 (09:21 +0200)

committer aki.tuomi <aki.tuomi@open-xchange.com>

Thu, 29 Jan 2026 16:45:30 +0000 (16:45 +0000)
author Aki Tuomi <aki.tuomi@open-xchange.com>
Fri, 7 Nov 2025 07:21:01 +0000 (09:21 +0200)
committer aki.tuomi <aki.tuomi@open-xchange.com>
Thu, 29 Jan 2026 16:45:30 +0000 (16:45 +0000)
diff --git a/src/lib-sql/driver-sqlite.c b/src/lib-sql/driver-sqlite.c

index 50fc424af1959231ba5b098357ad04ebfc59bfe8..7911a42f24800872159fba04349f8c8a0f543b76 100644 (file)
--- a/src/lib-sql/driver-sqlite.c
+++ b/src/lib-sql/driver-sqlite.c
@@ -308,30 +308,11 @@ static const char *
  driver_sqlite_escape_string(struct sql_db *_db ATTR_UNUSED,
                             const char *string)
  {
-       const char *p;
-       char *dest, *destbegin;
-
-       /* find the first ' */
-       for (p = string; *p != '\''; p++) {
-               if (*p == '\0')
-                       return t_strdup_noconst(string);
-       }
-
-       /* @UNSAFE: escape ' with '' */
-       dest = destbegin = t_buffer_get((p - string) + strlen(string) * 2 + 1);
-
-       memcpy(dest, string, p - string);
-       dest += p - string;
-
-       for (; *p != '\0'; p++) {
-               *dest++ = *p;
-               if (*p == '\'')
-                       *dest++ = *p;
-       }
-       *dest++ = '\0';
-       t_buffer_alloc(dest - destbegin);
-
-       return destbegin;
+       const size_t len = strlen(string) * 2 + 1;
+       char *escaped = t_malloc_no0(len);
+       if (sqlite3_snprintf(len, escaped, "%q", string) == NULL)
+               i_unreached();
+       return escaped;
  }
  
  static const char *driver_sqlite_readonly_error(struct sqlite_db *db)
author	Aki Tuomi <aki.tuomi@open-xchange.com>
	Fri, 7 Nov 2025 07:21:01 +0000 (09:21 +0200)
committer	aki.tuomi <aki.tuomi@open-xchange.com>
	Thu, 29 Jan 2026 16:45:30 +0000 (16:45 +0000)