Mercurial > dovecot > original-hg > dovecot-1.2
changeset 4335:6dba897351bb HEAD
Use sql_escape_string() instead of str_escape()
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 14 Jun 2006 14:16:49 +0300 |
parents | 23394b3a7879 |
children | 2e9ec468197d |
files | src/lib-dict/dict-sql.c |
diffstat | 1 files changed, 26 insertions(+), 16 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-dict/dict-sql.c Mon Jun 12 15:46:15 2006 +0300 +++ b/src/lib-dict/dict-sql.c Wed Jun 14 14:16:49 2006 +0300 @@ -1,10 +1,9 @@ -/* Copyright (C) 2005 Timo Sirainen */ +/* Copyright (C) 2005-2006 Timo Sirainen */ #include "lib.h" #include "array.h" #include "istream.h" #include "str.h" -#include "strescape.h" #include "sql-api-private.h" #include "dict-private.h" #include "dict-sql.h" @@ -169,10 +168,11 @@ query = t_str_new(256); str_printfa(query, "SELECT %s FROM %s WHERE %s = '%s'", dict->select_field, dict->table, - dict->where_field, str_escape(key)); + dict->where_field, sql_escape_string(dict->db, key)); if (priv) { str_printfa(query, " AND %s = '%s'", - dict->username_field, str_escape(dict->username)); + dict->username_field, + sql_escape_string(dict->db, dict->username)); } result = sql_query_s(dict->db, str_c(query)); t_pop(); @@ -208,15 +208,18 @@ str_printfa(query, "SELECT %s, %s FROM %s " "WHERE %s LIKE '%s/%%'", dict->where_field, dict->select_field, - dict->table, dict->where_field, str_escape(path)); + dict->table, dict->where_field, + sql_escape_string(dict->db, path)); if (priv) { str_printfa(query, " AND %s = '%s'", dict->username_field, - str_escape(dict->username)); + sql_escape_string(dict->db, + dict->username)); } if (!recurse) { str_printfa(query, " AND %s NOT LIKE '%s/%%/%%'", - dict->where_field, str_escape(path)); + dict->where_field, + sql_escape_string(dict->db, path)); } ctx->result = sql_query_s(dict->db, str_c(query)); t_pop(); @@ -307,16 +310,20 @@ "ON DUPLICATE KEY UPDATE %s = '%s'", dict->table, dict->select_field, dict->where_field, dict->username_field, - str_escape(key), str_escape(value), - str_escape(dict->username), - str_escape(key), str_escape(value)); + sql_escape_string(dict->db, key), + sql_escape_string(dict->db, value), + sql_escape_string(dict->db, dict->username), + sql_escape_string(dict->db, key), + sql_escape_string(dict->db, value)); } else { query = t_strdup_printf( "INSERT INTO %s (%s, %s) VALUES (%s, %s) " "ON DUPLICATE KEY UPDATE %s = '%s'", dict->table, dict->select_field, dict->where_field, - str_escape(key), str_escape(value), - str_escape(key), str_escape(value)); + sql_escape_string(dict->db, key), + sql_escape_string(dict->db, value), + sql_escape_string(dict->db, key), + sql_escape_string(dict->db, value)); } sql_update(ctx->sql_ctx, query); t_pop(); @@ -341,15 +348,18 @@ "ON DUPLICATE KEY UPDATE %s = %s + %lld", dict->table, dict->select_field, dict->where_field, dict->username_field, - str_escape(key), diff, str_escape(dict->username), - str_escape(key), str_escape(key), diff); + sql_escape_string(dict->db, key), diff, + sql_escape_string(dict->db, dict->username), + sql_escape_string(dict->db, key), + sql_escape_string(dict->db, key), diff); } else { query = t_strdup_printf( "INSERT INTO %s (%s, %s) VALUES (%s, %lld) " "ON DUPLICATE KEY UPDATE %s = %s + %lld", dict->table, dict->select_field, dict->where_field, - str_escape(key), diff, - str_escape(key), str_escape(key), diff); + sql_escape_string(dict->db, key), diff, + sql_escape_string(dict->db, key), + sql_escape_string(dict->db, key), diff); } sql_update(ctx->sql_ctx, query); t_pop();