From 560d6545e30c9e603dac1caa476639a83ad78eb1 Mon Sep 17 00:00:00 2001 From: Andre Date: Tue, 2 May 2006 20:16:14 +0200 Subject: [PATCH] com_upd: always escape the filename Fixes problems with filenames starting with "'" --- mysql_selector.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/mysql_selector.c b/mysql_selector.c index 8d043f5a..e2c9562c 100644 --- a/mysql_selector.c +++ b/mysql_selector.c @@ -663,7 +663,7 @@ out: return ret; } -static char *escape_blob(char* old, int size) +static char *escape_blob(const char* old, int size) { char *new; @@ -674,7 +674,7 @@ static char *escape_blob(char* old, int size) return new; } -static char *escape_str(char* old) +static char *escape_str(const char* old) { return escape_blob(old, strlen(old)); } @@ -2321,7 +2321,6 @@ static int mysql_write_tmp_file(const char *dir, const char *name) { int ret = -E_TMPFILE; char *msg = make_message("%s\t%s\n", dir, name); - if (fputs(msg, out_file) != EOF) ret = 1; free(msg); @@ -2384,12 +2383,15 @@ static int com_upd(int fd, int argc, __a_unused char *argv[]) goto out; } while ((row = mysql_fetch_row(result))) { + char *erow; ret = -E_NOROW; if (!row[0]) goto out; send_va_buffer(fd, "new entry: %s\n", row[0]); + erow = escape_str(row[0]); query = make_message("insert into data (name, pic_id) values " - "('%s','%s')", row[0], "1"); + "('%s','%s')", erow, "1"); + free(erow); ret = real_query(query); free(query); if (ret < 0) -- 2.39.5