com_upd: always escape the filename

Fixes problems with filenames starting with "'"

diff --git a/mysql_selector.c b/mysql_selector.c
index 8d043f5ae4759b21487a30916155df8275aeff3d..e2c9562c7aa64bb14e4f5f4830ca0117130aaa63 100644 (file)
--- a/mysql_selector.c
+++ b/mysql_selector.c
@@ -663,7 +663,7 @@ out:
        return ret;
 }
 
-static char *escape_blob(char* old, int size)
+static char *escape_blob(const char* old, int size)
 {
        char *new;
 
@@ -674,7 +674,7 @@ static char *escape_blob(char* old, int size)
        return new;
 }
 
-static char *escape_str(char* old)
+static char *escape_str(const char* old)
 {
        return escape_blob(old, strlen(old));
 }
@@ -2321,7 +2321,6 @@ static int mysql_write_tmp_file(const char *dir, const char *name)
 {
        int ret = -E_TMPFILE;
        char *msg = make_message("%s\t%s\n", dir, name);
-
        if (fputs(msg, out_file) != EOF)
                ret = 1;
        free(msg);
@@ -2384,12 +2383,15 @@ static int com_upd(int fd, int argc, __a_unused char *argv[])
                goto out;
        }
        while ((row = mysql_fetch_row(result))) {
+               char *erow;
                ret = -E_NOROW;
                if (!row[0])
                        goto out;
                send_va_buffer(fd, "new entry: %s\n", row[0]);
+               erow = escape_str(row[0]);
                query = make_message("insert into data (name, pic_id) values "
-                       "('%s','%s')", row[0], "1");
+                       "('%s','%s')", erow, "1");
+               free(erow);
                ret = real_query(query);
                free(query);
                if (ret < 0)