Commit 3e5bfe3d authored by Sebastian Ramacher's avatar Sebastian Ramacher
Browse files

Use sqlite3_mprintf for proper escaping



Not that is really needed here since every argument is controlled by us. But
rather safe than sorry.
Signed-off-by: Sebastian Ramacher's avatarSebastian Ramacher <sebastian+dev@ramacher.at>
parent 12aa509f
...@@ -265,9 +265,14 @@ prepare_statement(sqlite3* session, const char* statement) ...@@ -265,9 +265,14 @@ prepare_statement(sqlite3* session, const char* statement)
static bool static bool
check_column(sqlite3* session, const char* table, const char* col, bool* res) check_column(sqlite3* session, const char* table, const char* col, bool* res)
{ {
char* query = g_strdup_printf("PRAGMA table_info(%s);", table); /* we can't actually bind the argument with sqlite3_bind_text because
sqlite3_stmt* stmt = prepare_statement(session, query); * sqlite3_prepare_v2 fails with "PRAGMA table_info(?);" */
char* query = sqlite3_mprintf("PRAGMA table_info(%Q);", table);
if (query == NULL) {
return false;
}
sqlite3_stmt* stmt = prepare_statement(session, query);
if (stmt == NULL) { if (stmt == NULL) {
return false; return false;
} }
...@@ -286,7 +291,7 @@ check_column(sqlite3* session, const char* table, const char* col, bool* res) ...@@ -286,7 +291,7 @@ check_column(sqlite3* session, const char* table, const char* col, bool* res)
} }
sqlite3_finalize(stmt); sqlite3_finalize(stmt);
g_free(query); sqlite3_free(query);
return true; return true;
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment