[mythtv] escaping strings in sql queries
Jost Schenck
jost.schenck at gmx.de
Mon Dec 22 04:32:59 EST 2003
Hi,
I'm a rather new mythtv user and encountered a problem with not properly
escaped sql queries, which I'd like to fix. It occurs since I switched to a
different xmltv provider (the german grabber by Ben Bucksch); the problem is
about quotes in titles.
When I started to fix this, I noticed that there is some work already being
done to escape quotes in some places, e.g. in programinfo.cpp, which is why I
first wanted to ask if I missed something, before I start reviewing all sql
statements.
The current code seems only to escape quotes and not other special characters
and it seems the quote escaping is still not enough, as I get things like
this:
2003-12-21 22:24:34 Strange, file:
/var/store/21_20031221092000_20031221100000.nuv doesn't exist.
DB Error (Recorded program deletion):
Query was:
DELETE FROM recorded WHERE chanid = 21 AND title = "Jim Knopf und die "Wilde
13"" AND starttime = 20031220092700 AND endtime = 20031220100000;
Driver error was [2/1064]:
QMYSQL3: Unable to execute query
Database error was:
You have an error in your SQL syntax near 'Wilde 13"" AND starttime =
20031220092700 AND endtime = 20031220100000' at line 1
The corresponding line in the XMLTV input is this:
<title lang="de">Jim Knopf und die "Wilde 13"</title>
This also led to error messages in the first run of mythfilldatabase after
changing to the new grabber.
So my questions are:
- is this a bug in myth or in the grabber (for using those " entities)
- is it okay if I try to ensure proper escaping of ascii string in all SQL
queries and send you a patch?
So far I added an escapeString(const QString) function to libmyth/util.* and
started a little work on changing the queries to use this function.
Thanks a lot,
-Jost.
More information about the mythtv-dev
mailing list