Replaced name escape with a function (WP 2)

Author: marcobambini

src/cloudsync.c

@@ -573,9 +573,9 @@ char *table_build_values_sql (db_t *db, cloudsync_table_context *table) {
 
     // Unfortunately in SQLite column names (or table names) cannot be bound parameters in a SELECT statement
     // otherwise we should have used something like SELECT 'SELECT ? FROM %w WHERE rowid=?';
-
-    char *singlequote_escaped_table_name = cloudsync_memory_mprintf("%q", table->name);
-
+    char buffer[1024];
+    char *singlequote_escaped_table_name = sql_escape_name(table->name, buffer, sizeof(buffer));
+    
     #if !CLOUDSYNC_DISABLE_ROWIDONLY_TABLES
     if (table->rowid_only) {
         sql = memory_mprintf("WITH col_names AS (SELECT group_concat('\"' || format('%%w', name) || '\"', ',') AS cols FROM pragma_table_info('%q') WHERE pk=0 ORDER BY cid) SELECT 'SELECT ' || (SELECT cols FROM col_names) || ' FROM \"%w\" WHERE rowid=?;'", table->name, table->name);
@@ -588,7 +588,6 @@ char *table_build_values_sql (db_t *db, cloudsync_table_context *table) {
 #if !CLOUDSYNC_DISABLE_ROWIDONLY_TABLES
 process_process:
 #endif
-    cloudsync_memory_free(singlequote_escaped_table_name);
     if (!sql) return NULL;
 
     char *query = NULL;
@@ -606,9 +605,9 @@ char *table_build_mergedelete_sql (db_t *db, cloudsync_table_context *table) {
     }
     #endif
 
-    char *singlequote_escaped_table_name = cloudsync_memory_mprintf("%q", table->name);
+    char buffer[1024];
+    char *singlequote_escaped_table_name = sql_escape_name(table->name, buffer, sizeof(buffer));
     char *sql = cloudsync_memory_mprintf("WITH pk_where AS (SELECT group_concat('\"' || format('%%w', name) || '\"', '=? AND ') || '=?' AS pk_clause FROM pragma_table_info('%q') WHERE pk>0 ORDER BY pk) SELECT 'DELETE FROM \"%w\" WHERE ' || (SELECT pk_clause FROM pk_where) || ';'", table->name, singlequote_escaped_table_name);
-    cloudsync_memory_free(singlequote_escaped_table_name);
     if (!sql) return NULL;
 
     char *query = NULL;
@@ -634,18 +633,17 @@ char *table_build_mergeinsert_sql (db_t *db, cloudsync_table_context *table, con
     }
     #endif
 
-    char *singlequote_escaped_table_name = cloudsync_memory_mprintf("%q", table->name);
+    char buffer[1024];
+    char *singlequote_escaped_table_name = sql_escape_name(table->name, buffer, sizeof(buffer));
 
     if (colname == NULL) {
         // is sentinel insert
         sql = cloudsync_memory_mprintf("WITH pk_where AS (SELECT group_concat('\"' || format('%%w', name) || '\"') AS pk_clause FROM pragma_table_info('%q') WHERE pk>0 ORDER BY pk), pk_bind AS (SELECT group_concat('?') AS pk_binding FROM pragma_table_info('%q') WHERE pk>0 ORDER BY pk) SELECT 'INSERT OR IGNORE INTO \"%w\" (' || (SELECT pk_clause FROM pk_where) || ') VALUES ('  || (SELECT pk_binding FROM pk_bind) || ');'", table->name, table->name, singlequote_escaped_table_name);
     } else {
-        char *singlequote_escaped_col_name = cloudsync_memory_mprintf("%q", colname);
+        char buffer2[1024];
+        char *singlequote_escaped_col_name = sql_escape_name(colname, buffer2, sizeof(buffer2));
         sql = cloudsync_memory_mprintf("WITH pk_where AS (SELECT group_concat('\"' || format('%%w', name) || '\"') AS pk_clause FROM pragma_table_info('%q') WHERE pk>0 ORDER BY pk), pk_bind AS (SELECT group_concat('?') AS pk_binding FROM pragma_table_info('%q') WHERE pk>0 ORDER BY pk) SELECT 'INSERT INTO \"%w\" (' || (SELECT pk_clause FROM pk_where) || ',\"%w\") VALUES ('  || (SELECT pk_binding FROM pk_bind) || ',?) ON CONFLICT DO UPDATE SET \"%w\"=?;'", table->name, table->name, singlequote_escaped_table_name, singlequote_escaped_col_name, singlequote_escaped_col_name);
-        cloudsync_memory_free(singlequote_escaped_col_name);
-
     }
-    cloudsync_memory_free(singlequote_escaped_table_name);
     if (!sql) return NULL;
 
     char *query = NULL;
@@ -666,11 +664,11 @@ char *table_build_value_sql (db_t *db, cloudsync_table_context *table, const cha
     #endif
 
     // SELECT age FROM customers WHERE first_name=? AND last_name=?;
-    char *singlequote_escaped_table_name = cloudsync_memory_mprintf("%q", table->name);
-    char *singlequote_escaped_col_name = cloudsync_memory_mprintf("%q", colname);
+    char buffer[1024];
+    char buffer2[1024];
+    char *singlequote_escaped_table_name = sql_escape_name(table->name, buffer, sizeof(buffer));
+    char *singlequote_escaped_col_name = sql_escape_name(colname, buffer2, sizeof(buffer2));
     char *sql = cloudsync_memory_mprintf("WITH pk_where AS (SELECT group_concat('\"' || format('%%w', name) || '\"', '=? AND ') || '=?' AS pk_clause FROM pragma_table_info('%q') WHERE pk>0 ORDER BY pk) SELECT 'SELECT %s%w%s FROM \"%w\" WHERE ' || (SELECT pk_clause FROM pk_where) || ';'", table->name, colnamequote, singlequote_escaped_col_name, colnamequote, singlequote_escaped_table_name);
-    cloudsync_memory_free(singlequote_escaped_col_name);
-    cloudsync_memory_free(singlequote_escaped_table_name);
     if (!sql) return NULL;
 
     char *query = NULL;
@@ -1736,13 +1734,11 @@ int cloudsync_finalize_alter (cloudsync_context *data, cloudsync_table_context *
             goto finalize;
         }
 
-        char *singlequote_escaped_table_name = cloudsync_memory_mprintf("%q", table->name);
+        char buffer[1024];
+        char *singlequote_escaped_table_name = sql_escape_name(table->name, buffer, sizeof(buffer));
         sql = cloudsync_memory_mprintf("SELECT group_concat('\"%w\".\"' || format('%%w', name) || '\"', ',') FROM pragma_table_info('%s') WHERE pk>0 ORDER BY pk;", singlequote_escaped_table_name, singlequote_escaped_table_name);
-        cloudsync_memory_free(singlequote_escaped_table_name);
-        if (!sql) {
-            rc = DBRES_NOMEM;
-            goto finalize;
-        }
+        if (!sql) {rc = DBRES_NOMEM; goto finalize;}
+        
         char *pkclause = NULL;
         int rc = database_select_text(db, sql, &pkclause);
         cloudsync_memory_free(sql);

src/database.h

@@ -72,6 +72,7 @@ int  database_create_metatable (db_t *db, const char *table_name);
 int  database_create_triggers (db_t *db, const char *table_name, table_algo algo);
 int  database_delete_triggers (db_t *db, const char *table_name);
 int  database_debug (db_t *db, bool print_result);
+int  database_pk_names (db_t *db, const char *table_name, char ***names, int *count);
 
 int database_count_pk (db_t *db, const char *table_name, bool not_null);
 int database_count_int_pk (db_t *db, const char *table_name);
@@ -141,8 +142,9 @@ char *dbmem_vmprintf (const char *format, va_list list);
 void dbmem_free (void *ptr);
 db_uint64 dbmem_size (void *ptr);
 
-int database_pk_names (db_t *db, const char *table_name, char ***names, int *count);
+// SQL
 char *sql_build_drop_table (const char *table_name, char *buffer, int bsize, bool is_meta);
+char *sql_escape_name (const char *name, char *buffer, size_t bsize);
 
 // USED ONLY by SQLite Cloud to implement RLS
 typedef struct cloudsync_pk_decode_bind_context cloudsync_pk_decode_bind_context;

src/database_sqlite.c

@@ -40,6 +40,10 @@ char *sql_build_drop_table (const char *table_name, char *buffer, int bsize, boo
     return sql;
 }
 
+char *sql_escape_name (const char *name, char *buffer, size_t bsize) {
+    return sqlite3_snprintf((int)bsize, buffer, "%q", name);
+}
+
 // MARK: - PRIVATE -
 
 int database_select1_value (db_t *db, const char *sql, char **ptr_value, db_int64 *int_value, DBTYPE expected_type) {

src/sql_sqlite.c

@@ -7,7 +7,7 @@
 
 #include "sql.h"
 
-// MARK: - Settings -
+// MARK: Settings
 
 const char * const SQL_SETTINGS_GET_VALUE =
     "SELECT value FROM cloudsync_settings WHERE key=?1;";
@@ -67,7 +67,7 @@ const char * const SQL_SETTINGS_CLEANUP_DROP_ALL =
     "DROP TABLE IF EXISTS cloudsync_table_settings; "
     "DROP TABLE IF EXISTS cloudsync_schema_versions; ";
 
-// MARK: - CloudSync -
+// MARK: CloudSync
 
 const char * const SQL_DBVERSION_BUILD_QUERY =
     "WITH table_names AS ("
@@ -97,3 +97,5 @@ const char * const SQL_SITEID_GETSET_ROWID_BY_SITEID =
     "INSERT INTO cloudsync_site_id (site_id) VALUES (?) "
     "ON CONFLICT(site_id) DO UPDATE SET site_id = site_id "
     "RETURNING rowid;";
+
+// Format