Escape message before adding to SQL backend

2024-12-04 14:46:46 -05:00 · 2020-04-18 10:01:40 +02:00 · 2020-04-18 10:01:40 +02:00 · b282965ede
commit b282965ede
parent a1d37dda18
1 changed files with 5 additions and 1 deletions
--- a/src/database.c
+++ b/src/database.c
@ -44,6 +44,7 @@
 #include <errno.h>

 #include "log.h"
+#include "common.h"
 #include "config/files.h"

 static sqlite3 *g_chatlog_database;
@ -326,12 +327,14 @@ _add_to_db(ProfMessage *message, char *type, const Jid * const from_jid, const J
        type = (char*)_get_message_type_str(message->type);
    }

+    char *escaped_message = str_replace(message->plain, "'", "''");
+
    if (asprintf(&query, "INSERT INTO `ChatLogs` (`from_jid`, `from_resource`, `to_jid`, `to_resource`, `message`, `timestamp`, `stanza_id`, `replace_id`, `type`, `encryption`) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')",
                from_jid->barejid,
                from_jid->resourcepart ? from_jid->resourcepart : "",
                to_jid->barejid,
                to_jid->resourcepart ? to_jid->resourcepart : "",
-                message->plain,
+                escaped_message,
                date_fmt,
                message->id ? message->id : "",
                message->replace_id ? message->replace_id : "",
@ -340,6 +343,7 @@ _add_to_db(ProfMessage *message, char *type, const Jid * const from_jid, const J
        log_error("log_database_add(): SQL query. could not allocate memory");
        return;
    }
+    free(escaped_message);
    g_free(date_fmt);

    if( SQLITE_OK != sqlite3_exec(g_chatlog_database, query, NULL, 0, &err_msg)) {