From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 7 Nov 2025 07:21:01 +0000 (+0200)
Subject: lib-sql: driver-sqlite - Use sqlite3_snprintf() to quote values
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff926d0c9288f343d18a3c9ec20cf1e252d52286;p=thirdparty%2Fdovecot%2Fcore.git

lib-sql: driver-sqlite - Use sqlite3_snprintf() to quote values

This does it the sqlite3 way.
---

diff --git a/src/lib-sql/driver-sqlite.c b/src/lib-sql/driver-sqlite.c
index 50fc424af1..7911a42f24 100644
--- a/src/lib-sql/driver-sqlite.c
+++ b/src/lib-sql/driver-sqlite.c
@@ -308,30 +308,11 @@ static const char *
 driver_sqlite_escape_string(struct sql_db *_db ATTR_UNUSED,
 			    const char *string)
 {
-	const char *p;
-	char *dest, *destbegin;
-
-	/* find the first ' */
-	for (p = string; *p != '\''; p++) {
-		if (*p == '\0')
-			return t_strdup_noconst(string);
-	}
-
-	/* @UNSAFE: escape ' with '' */
-	dest = destbegin = t_buffer_get((p - string) + strlen(string) * 2 + 1);
-
-	memcpy(dest, string, p - string);
-	dest += p - string;
-
-	for (; *p != '\0'; p++) {
-		*dest++ = *p;
-		if (*p == '\'')
-			*dest++ = *p;
-	}
-	*dest++ = '\0';
-	t_buffer_alloc(dest - destbegin);
-
-	return destbegin;
+	const size_t len = strlen(string) * 2 + 1;
+	char *escaped = t_malloc_no0(len);
+	if (sqlite3_snprintf(len, escaped, "%q", string) == NULL)
+		i_unreached();
+	return escaped;
 }
 
 static const char *driver_sqlite_readonly_error(struct sqlite_db *db)