Use sqlite3_mprintf for proper escaping

Not that is really needed here since every argument is controlled by us. But rather safe than sorry. Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>

Use sqlite3_mprintf for proper escaping
Not that is really needed here since every argument is controlled by us. But rather safe than sorry. Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>
3e5bfe3d · Sebastian Ramacher · 12aa509f · 3e5bfe3d
Commit 3e5bfe3d authored Jun 21, 2013 by Sebastian Ramacher
--- a/database-sqlite.c
+++ b/database-sqlite.c
@@ -265,9 +265,14 @@ prepare_statement(sqlite3* session, const char* statement)
 static bool
 check_column(sqlite3* session, const char* table, const char* col, bool* res)
 {
-  char* query = g_strdup_printf("PRAGMA table_info(%s);", table);
+  /* we can't actually bind the argument with sqlite3_bind_text because
-  sqlite3_stmt* stmt = prepare_statement(session, query);
+   * sqlite3_prepare_v2 fails with "PRAGMA table_info(?);" */
+  char* query = sqlite3_mprintf("PRAGMA table_info(%Q);", table);
+  if (query == NULL) {
+    return false;
+  }
+  sqlite3_stmt* stmt = prepare_statement(session, query);
  if (stmt == NULL) {
    return false;
  }
@@ -286,7 +291,7 @@ check_column(sqlite3* session, const char* table, const char* col, bool* res)
  }
  sqlite3_finalize(stmt);
-  g_free(query);
+  sqlite3_free(query);
  return true;
 }