From 100da9a5b6e8cc0a384996674a4e56ec6938f717 Mon Sep 17 00:00:00 2001
From: Jonathan McDowell <noodles@earth.li>
Date: Mon, 31 May 2004 23:46:56 +0000
Subject: [PATCH 1/1] cscvs to tla changeset 7 Author: noodles Date: 2002/09/08
 10:30:32 Changing over to use PQescapeString to escape SQL string data.

---
 keydb_pg.c | 71 +++++++++++++++++++++++-------------------------------
 1 file changed, 30 insertions(+), 41 deletions(-)

diff --git a/keydb_pg.c b/keydb_pg.c
index 3f519bc..b09c692 100644
--- a/keydb_pg.c
+++ b/keydb_pg.c
@@ -206,34 +206,22 @@ int fetch_key_text(const char *search, struct openpgp_publickey **publickey)
 	int i = 0;
 	int numkeys = 0;
 	Oid key_oid;
-	char *dodgychar = NULL;
+	char *newsearch = NULL;
 
 	result = PQexec(dbconn, "BEGIN");
 	PQclear(result);
 
-	/*
-	 * TODO: We really want to use PQescapeString, but this isn't supported
-	 * by the version of Postgresql in Debian Stable. Roll on Woody and for
-	 * now kludge it.
-	 */
-	dodgychar = strchr(search, '\'');
-	while (dodgychar != NULL) {
-		*dodgychar = ' ';
-		dodgychar = strchr(search, '\'');
-	}
-	dodgychar = strchr(search, '\\');
-	while (dodgychar != NULL) {
-		*dodgychar = ' ';
-		dodgychar = strchr(search, '\\');
-	}
-
-	
+	newsearch = malloc(strlen(search) * 2 + 1);
+	memset(newsearch, 0, strlen(search) * 2 + 1);
+	PQescapeString(newsearch, search, strlen(search));
 	snprintf(statement, 1023,
 			"SELECT DISTINCT onak_keys.keydata FROM onak_keys, "
 			"onak_uids WHERE onak_keys.keyid = onak_uids.keyid "
 			"AND onak_uids.uid LIKE '%%%s%%'",
-			search);
+			newsearch);
 	result = PQexec(dbconn, statement);
+	free(newsearch);
+	newsearch = NULL;
 
 	if (PQresultStatus(result) == PGRES_TUPLES_OK) {
 		numkeys = PQntuples(result);
@@ -285,7 +273,7 @@ int store_key(struct openpgp_publickey *publickey, bool intrans, bool update)
 	int fd;
 	char **uids = NULL;
 	char *primary = NULL;
-	char *dodgychar = NULL;
+	char *safeuid = NULL;
 	int i;
 
 	if (!intrans) {
@@ -335,30 +323,29 @@ int store_key(struct openpgp_publickey *publickey, bool intrans, bool update)
 	uids = keyuids(publickey, &primary);
 	if (uids != NULL) {
 		for (i = 0; uids[i] != NULL; i++) {
-			/*
-			 * TODO: We really want to use PQescapeString, but this
-			 * isn't supported by the version of Postgresql in
-			 * Debian Stable. Roll on Woody and for now kludge it.
-			 */
-			dodgychar = strchr(uids[i], '\'');
-			while (dodgychar != NULL) {
-				*dodgychar = ' ';
-				dodgychar = strchr(uids[i], '\'');
+			safeuid = malloc(strlen(uids[i]) * 2 + 1);
+			if (safeuid != NULL) {
+				memset(safeuid, 0, strlen(uids[i]) * 2 + 1);
+				PQescapeString(safeuid, uids[i],
+						strlen(uids[i]));
+
+				snprintf(statement, 1023,
+					"INSERT INTO onak_uids "
+					"(keyid, uid, pri) "
+					"VALUES	('%llX', '%s', '%c')",
+					get_keyid(publickey),
+					safeuid,
+					(uids[i] == primary) ? 't' : 'f');
+				result = PQexec(dbconn, statement);
+
+				free(safeuid);
+				safeuid = NULL;
 			}
-			dodgychar = strchr(uids[i], '\\');
-				while (dodgychar != NULL) {
-				*dodgychar = ' ';
-				dodgychar = strchr(uids[i], '\\');
+			if (uids[i] != NULL) {
+				free(uids[i]);
+				uids[i] = NULL;
 			}
 
-			snprintf(statement, 1023,
-				"INSERT INTO onak_uids (keyid, uid, pri) "
-				"VALUES	('%llX', '%s', '%c')",
-				get_keyid(publickey),
-				uids[i],
-				(uids[i] == primary) ? 't' : 'f');
-			result = PQexec(dbconn, statement);
-
 			if (PQresultStatus(result) != PGRES_COMMAND_OK) {
 				fprintf(stderr, "Problem storing key in DB.\n");
 				fprintf(stderr, "%s\n",
@@ -369,6 +356,8 @@ int store_key(struct openpgp_publickey *publickey, bool intrans, bool update)
 			 */
 			PQclear(result);
 		}
+		free(uids);
+		uids = NULL;
 	}
 
 	if (!intrans) {
-- 
2.39.5