Hi Timo&all, a recent change in the sql drivers introduced escaping, but sqlite is a different in this aspect: You cannot escape with a backslash, the only character that needs escaping is the quoting character itself (by doubling it, as the SQL standard says). As the escaping function does not know which quote character is used, one should only use the single tick ' (again, as the SQL standard says) and the escaping function double any single quote in the string. (untested) patch for the latter attached. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sqlite-escape.patch URL: <http://dovecot.org/pipermail/dovecot/attachments/20060625/944f3219/attachment.pl>
Jakob Hirsch <jh at plonk.de> writes:> a recent change in the sql drivers introduced escaping, but sqlite is a > different in this aspect: You cannot escape with a backslash, the only > character that needs escaping is the quoting character itself (by > doubling it, as the SQL standard says). As the escaping function does > not know which quote character is used, one should only use the single > tick ' (again, as the SQL standard says) and the escaping function > double any single quote in the string. (untested) patch for the latter > attached.How about just using sqlite_mprintf with %q? It includes malloc() and does proper SQL escaping. See <http://www.sqlite.org/capi3ref.html#sqlite3_mprintf> -- Matthias Andree