Any comments to this?
I apologize for the extra * charcaters in the code snippets from my
first email, let me try again. The current code in apr_dbd_sqlite2.c and
in apr_dbd_sqlite3.c for escaping strings is:
static const char *dbd_sqlite3_escape(apr_pool_t *pool, const char *arg,
apr_dbd_t *sql)
{
char *ret = sqlite3_mprintf(arg);
apr_pool_cleanup_register(pool, ret, (void *) sqlite3_free,
apr_pool_cleanup_null);
return ret;
}
The first line of the function need to be changed to:
char *ret = sqlite3_mprintf("%q", arg);
Otherwise the use of '%' charcaters in arg will have unwanted side effects.
Ronen Mizrahi wrote:
*The following code (used both in apr_dbd_sqlite2.c and in
apr_dbd_sqlite3.c) in order to escaqpe SQL strings is incorrect.
When the % charcater appears in the arg it is misniterpreted of-course
and can have far reaching side effects.
The proper solution is listed below as well.
INCORRECT:
static* *const* *char* **dbd_sqlite3_escape*(apr_pool_t *pool, *const*
*char* *arg,
apr_dbd_t *sql)
{
*char* *ret = sqlite3_mprintf(arg);
apr_pool_cleanup_register(pool, ret, (*void* *) sqlite3_free,
apr_pool_cleanup_null);
*return* ret;
}
*CORRECT:
static* *const* *char* **dbd_sqlite3_escape*(apr_pool_t *pool, *const*
*char* *arg,
apr_dbd_t *sql)
{
*char* *ret = sqlite3_mprintf("%q", arg);
apr_pool_cleanup_register(pool, ret, (*void* *) sqlite3_free,
apr_pool_cleanup_null);
*return* ret;
}
