Make sure to always escape table and column names properly

Always put `...` around the names of tables, columns and other objects
to avoid errors when the user creates objects with the name of key
words.

src/CreateIndexForm.cpp

@@ -69,9 +69,9 @@ void createIndexForm::confirmCreate()
         if (comboUnique->currentIndex()==1){
             createStatement.append("UNIQUE ");
         }
-        createStatement.append("INDEX ");
+        createStatement.append("INDEX `");
         createStatement.append(indexLineEdit->text());
-        createStatement.append(" ON ");
+        createStatement.append("` ON ");
         createStatement.append(comboTables->currentText());
         createStatement.append("(");
         createStatement.append(comboFields->currentText());
@@ -102,5 +102,3 @@ void createIndexForm::populateTable(const QList<DBBrowserObject>& rmap)
         }*/
     }
 }
-
-

src/EditTableForm.cpp

@@ -71,7 +71,7 @@ void editTableForm::accept()
         // Build SQL statement from what the use entered
         QString sql = QString("CREATE TABLE `%1` (").arg(ui->editTableName->text());
         for(int i=0;i<ui->treeWidget->topLevelItemCount();i++)
-            sql.append(QString("%1 %2,").arg(ui->treeWidget->topLevelItem(i)->text(0)).arg(ui->treeWidget->topLevelItem(i)->text(1)));
+            sql.append(QString("`%1` %2,").arg(ui->treeWidget->topLevelItem(i)->text(0)).arg(ui->treeWidget->topLevelItem(i)->text(1)));
         sql.remove(sql.count() - 1, 1);     // Remove last comma
         sql.append(");");
 

src/ImportCSVForm.cpp

@@ -110,11 +110,9 @@ void importCSVForm::createButtonPressed()
     QProgressDialog progress("Inserting data...", "Cancel", 0, curList.size());
     progress.setWindowModality(Qt::ApplicationModal);
     
-    sql = "CREATE TABLE ";
-    sql.append(tabname);
-    sql.append(" (");
+    sql = QString("CREATE TABLE `%1` (").arg(tabname);
     for (int r=0; r<numfields;r++){
-        sql.append(fieldList[r]);
+        sql.append(QString("`%1`").arg(fieldList[r]));
         //createStatement.append(" text");
         if (r<(numfields - 1))
             sql.append(", ");
@@ -135,11 +133,8 @@ void importCSVForm::createButtonPressed()
     //now lets import all data, one row at a time
     for ( int i=0; i < curList.size(); ++i ) {
         if (colNum==0)
-        {
-            sql = "INSERT INTO ";
-            sql.append(tabname);
-            sql.append(" VALUES(");
-        }
+            sql = QString("INSERT INTO `%1` VALUES(").arg(tabname);
+
         //need to mprintf here
         //sql.append(*ct);
         char * formSQL = sqlite3_mprintf("%Q",(const char *) curList[i].toUtf8());

src/MainWindow.cpp

@@ -605,7 +605,7 @@ void MainWindow::deleteObject()
                             QMessageBox::Yes, QMessageBox::No | QMessageBox::Default | QMessageBox::Escape) == QMessageBox::Yes)
     {
         // Delete the table
-        QString statement = QString("DROP %1 %2;").arg(type.toUpper()).arg(table);
+        QString statement = QString("DROP %1 `%2`;").arg(type.toUpper()).arg(table);
         if(!db.executeSQL( statement))
         {
             QString error = QString("Error: could not delete the %1. Message from database engine:\n%2").arg(type).arg(db.lastErrorMessage);

src/sqlbrowser_util.c

@@ -287,7 +287,7 @@ static int dump_callback(void *pArg, int nArg, char **azArg, char **azCol){
     d2.mode = MODE_Insert;
     d2.zDestTable = 0;
     set_table_name(&d2, azArg[0]);
-    stmt = sqlite3_mprintf("SELECT * FROM '%q'", azArg[0]);
+    stmt = sqlite3_mprintf("SELECT * FROM `%q`", azArg[0]);
     sqlite3_exec(p->db,stmt, callback, &d2, 0);
     sqlite3_free(stmt);
     set_table_name(&d2, 0);

src/sqlitedb.cpp

@@ -309,9 +309,7 @@ bool DBBrowserDB::addRecord ( )
     int fields = browseFields.count();
     QString emptyvalue = curNewData;
 
-    QString statement = "INSERT INTO ";
-    statement.append(GetEncodedQString(curBrowseTableName));
-    statement.append(" VALUES(");
+    QString statement = QString("INSERT INTO `%1` VALUES(").arg(GetEncodedQString(curBrowseTableName));
     for ( int i=1; i<=fields; i++ ) {
         statement.append(emptyvalue);
         if (i<fields) statement.append(", ");
@@ -343,11 +341,7 @@ bool DBBrowserDB::deleteRecord( int wrow)
     QString& rowid = rt[0];
     lastErrorMessage = QString("no error");
     
-    QString statement = "DELETE FROM ";
-    statement.append(GetEncodedQString(curBrowseTableName));
-    statement.append(" WHERE rowid=");
-    statement.append(rowid);
-    statement.append(";");
+    QString statement = QString("DELETE FROM `%1` WHERE rowid=%2;").arg(GetEncodedQString(curBrowseTableName)).arg(rowid);
 
     if (_db){
         logSQL(statement, kLogMsg_App);
@@ -376,11 +370,7 @@ bool DBBrowserDB::updateRecord(int wrow, int wcol, const QString & wtext)
     QString& cv = rt[wcol+1];//must account for rowid
     QString ct = browseFields.at(wcol);
     
-    QString statement = "UPDATE ";
-    statement.append(GetEncodedQString(curBrowseTableName));
-    statement.append(" SET ");
-    statement.append(GetEncodedQString(ct));
-    statement.append("=");
+    QString statement = QString("UPDATE `%1` SET `%2`=").arg(GetEncodedQString(curBrowseTableName)).arg(ct);
 
     QString wenc = GetEncodedQString(wtext);
     char * formSQL = sqlite3_mprintf("%Q", wenc.toUtf8().constData());
@@ -405,10 +395,8 @@ bool DBBrowserDB::updateRecord(int wrow, int wcol, const QString & wtext)
     }
 
     return ok;
-
 }
 
-
 bool DBBrowserDB::browseTable( const QString & tablename, const QString& orderby )
 {
     QStringList testFields = getTableFields( tablename );
@@ -461,12 +449,7 @@ void DBBrowserDB::getTableRecords( const QString & tablename, const QString& ord
     idmap.clear();
     lastErrorMessage = QString("no error");
 
-    QString statement = "SELECT rowid, *  FROM ";
-    statement.append( GetEncodedQString(tablename) );
-    statement.append(" ORDER BY ");
-    statement.append(orderby);
-    statement.append(";");
-    //qDebug(statement);
+    QString statement = QString("SELECT rowid, *  FROM `%1` ORDER BY %2;").arg(GetEncodedQString(tablename)).arg(orderby);
     logSQL(statement, kLogMsg_App);
     err=sqlite3_prepare(_db,statement.toUtf8(),statement.length(),
                         &vm, &tail);
@@ -688,9 +671,7 @@ void DBBrowserDB::updateSchema( )
     {
         if((*it).gettype() == "table" || (*it).gettype() == "view")
         {
-            statement = "PRAGMA TABLE_INFO(";
-            statement.append( (*it).getname());
-            statement.append(");");
+            statement = QString("PRAGMA TABLE_INFO(`%1`);").arg((*it).getname());
             logSQL(statement, kLogMsg_App);
             err=sqlite3_prepare(_db,statement.toUtf8(),statement.length(),
                                 &vm, &tail);