Properly escape table names

fr00b0 · fr00b0 · commit aae8c3da3fbb · 2015-10-03T22:29:51.000+02:00
The method CppSQLite3DB::tableExist was not escaping the table names in the
sql query properly, which caused exceptions when the table name contains
quotes.

The fix was simply to change the string formatting to use the sqlite specific
printf variant (through CppSQLite3Buffer) with a %Q. This has the nice side
effect of also removing a warning when building with visual studio.
diff --git a/CppSQLite3.cpp b/CppSQLite3.cpp
@@ -1166,11 +1166,10 @@ CppSQLite3Statement CppSQLite3DB::compileStatement(const char* szSQL)
 
 bool CppSQLite3DB::tableExists(const char* szTable)
 {
-    char szSQL[128];
-    sprintf(szSQL,
-            "select count(*) from sqlite_master where type='table' and name='%s'",
-            szTable);
-    int nRet = execScalar(szSQL);
+    CppSQLite3Buffer sql;
+    sql.format( "select count(*) from sqlite_master where type='table' and name=%Q",
+                szTable );
+    int nRet = execScalar(sql);
     return (nRet > 0);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1166,11 +1166,10 @@ CppSQLite3Statement CppSQLite3DB::compileStatement(const char* szSQL)`
`1166`	`1166`
`1167`	`1167`	`bool CppSQLite3DB::tableExists(const char* szTable)`
`1168`	`1168`	`{`
`1169`		`- char szSQL[128];`
`1170`		`- sprintf(szSQL,`
`1171`		`- "select count(*) from sqlite_master where type='table' and name='%s'",`
`1172`		`- szTable);`
`1173`		`- int nRet = execScalar(szSQL);`
	`1169`	`+ CppSQLite3Buffer sql;`
	`1170`	`+ sql.format( "select count(*) from sqlite_master where type='table' and name=%Q",`
	`1171`	`+ szTable );`
	`1172`	`+ int nRet = execScalar(sql);`
`1174`	`1173`	`return (nRet > 0);`
`1175`	`1174`	`}`
`1176`	`1175`