Make sure escape is used in SQLite3QueryBuilder wherever it's expected.

This commit is contained in:
Relintai 2022-12-20 17:35:24 +01:00
parent a50fc20607
commit 3d63a84be9

View File

@ -56,7 +56,7 @@ QueryBuilder *SQLite3QueryBuilder::cstr() {
} }
QueryBuilder *SQLite3QueryBuilder::like(const String &str) { QueryBuilder *SQLite3QueryBuilder::like(const String &str) {
if (str == "") { if (str.empty()) {
query_result += "LIKE "; query_result += "LIKE ";
} else { } else {
nlike(escape(str)); nlike(escape(str));
@ -152,14 +152,14 @@ QueryBuilder *SQLite3QueryBuilder::nval(const String &param) {
QueryBuilder *SQLite3QueryBuilder::vals(const String &param) { QueryBuilder *SQLite3QueryBuilder::vals(const String &param) {
query_result += "'"; query_result += "'";
query_result += param; query_result += escape(param);
query_result += "', "; query_result += "', ";
return this; return this;
} }
QueryBuilder *SQLite3QueryBuilder::vals(const char *param) { QueryBuilder *SQLite3QueryBuilder::vals(const char *param) {
query_result += "'"; query_result += "'";
query_result += String(param); query_result += escape(String(param));
query_result += "', "; query_result += "', ";
return this; return this;
@ -223,7 +223,7 @@ QueryBuilder *SQLite3QueryBuilder::nsetp(const String &col, const String &param)
QueryBuilder *SQLite3QueryBuilder::setps(const String &col, const char *param) { QueryBuilder *SQLite3QueryBuilder::setps(const String &col, const char *param) {
query_result += col; query_result += col;
query_result += "='"; query_result += "='";
query_result += String(param); query_result += escape(String(param));
query_result += "', "; query_result += "', ";
return this; return this;
@ -275,7 +275,7 @@ QueryBuilder *SQLite3QueryBuilder::nwp(const String &col, const String &param) {
QueryBuilder *SQLite3QueryBuilder::wps(const String &col, const char *param) { QueryBuilder *SQLite3QueryBuilder::wps(const String &col, const char *param) {
query_result += col; query_result += col;
query_result += "='"; query_result += "='";
query_result += String(param); query_result += escape(String(param));
query_result += "' "; query_result += "' ";
return this; return this;
@ -334,11 +334,7 @@ QueryBuilder *SQLite3QueryBuilder::wildcard() {
} }
String SQLite3QueryBuilder::escape(const String &params) { String SQLite3QueryBuilder::escape(const String &params) {
if (!_connection.is_valid()) { ERR_FAIL_COND_V(!_connection.is_valid(), String());
printf("SQLite3QueryBuilder::escape !db!\n");
return "";
}
return _connection->escape(params); return _connection->escape(params);
} }