From bed67cd9709caad17146ab4e0c90952988a21317 Mon Sep 17 00:00:00 2001
From: Martin Kleusberg <mkleusberg@gmail.com>
Date: Sat, 5 Jan 2013 15:31:42 +0100
Subject: [PATCH] Make sure to always escape table and column names properly

Always put `...` around the names of tables, columns and other objects
to avoid errors when the user creates objects with the name of key
words.
---
 src/CreateIndexForm.cpp |  6 ++----
 src/EditTableForm.cpp   |  2 +-
 src/ImportCSVForm.cpp   | 13 ++++---------
 src/MainWindow.cpp      |  2 +-
 src/sqlbrowser_util.c   |  2 +-
 src/sqlitedb.cpp        | 29 +++++------------------------
 6 files changed, 14 insertions(+), 40 deletions(-)

diff --git a/src/CreateIndexForm.cpp b/src/CreateIndexForm.cpp
index ef98f4ad..0c55bcba 100644
--- a/src/CreateIndexForm.cpp
+++ b/src/CreateIndexForm.cpp
@@ -69,9 +69,9 @@ void createIndexForm::confirmCreate()
         if (comboUnique->currentIndex()==1){
             createStatement.append("UNIQUE ");
         }
-        createStatement.append("INDEX ");
+        createStatement.append("INDEX `");
         createStatement.append(indexLineEdit->text());
-        createStatement.append(" ON ");
+        createStatement.append("` ON ");
         createStatement.append(comboTables->currentText());
         createStatement.append("(");
         createStatement.append(comboFields->currentText());
@@ -102,5 +102,3 @@ void createIndexForm::populateTable(const QList<DBBrowserObject>& rmap)
         }*/
     }
 }
-
-
diff --git a/src/EditTableForm.cpp b/src/EditTableForm.cpp
index 89a2b9ce..c82b6bb9 100644
--- a/src/EditTableForm.cpp
+++ b/src/EditTableForm.cpp
@@ -71,7 +71,7 @@ void editTableForm::accept()
         // Build SQL statement from what the use entered
         QString sql = QString("CREATE TABLE `%1` (").arg(ui->editTableName->text());
         for(int i=0;i<ui->treeWidget->topLevelItemCount();i++)
-            sql.append(QString("%1 %2,").arg(ui->treeWidget->topLevelItem(i)->text(0)).arg(ui->treeWidget->topLevelItem(i)->text(1)));
+            sql.append(QString("`%1` %2,").arg(ui->treeWidget->topLevelItem(i)->text(0)).arg(ui->treeWidget->topLevelItem(i)->text(1)));
         sql.remove(sql.count() - 1, 1);     // Remove last comma
         sql.append(");");
 
diff --git a/src/ImportCSVForm.cpp b/src/ImportCSVForm.cpp
index 0087a99d..e9adb585 100644
--- a/src/ImportCSVForm.cpp
+++ b/src/ImportCSVForm.cpp
@@ -110,11 +110,9 @@ void importCSVForm::createButtonPressed()
     QProgressDialog progress("Inserting data...", "Cancel", 0, curList.size());
     progress.setWindowModality(Qt::ApplicationModal);
     
-    sql = "CREATE TABLE ";
-    sql.append(tabname);
-    sql.append(" (");
+    sql = QString("CREATE TABLE `%1` (").arg(tabname);
     for (int r=0; r<numfields;r++){
-        sql.append(fieldList[r]);
+        sql.append(QString("`%1`").arg(fieldList[r]));
         //createStatement.append(" text");
         if (r<(numfields - 1))
             sql.append(", ");
@@ -135,11 +133,8 @@ void importCSVForm::createButtonPressed()
     //now lets import all data, one row at a time
     for ( int i=0; i < curList.size(); ++i ) {
         if (colNum==0)
-        {
-            sql = "INSERT INTO ";
-            sql.append(tabname);
-            sql.append(" VALUES(");
-        }
+            sql = QString("INSERT INTO `%1` VALUES(").arg(tabname);
+
         //need to mprintf here
         //sql.append(*ct);
         char * formSQL = sqlite3_mprintf("%Q",(const char *) curList[i].toUtf8());
diff --git a/src/MainWindow.cpp b/src/MainWindow.cpp
index 01faf920..ba682039 100644
--- a/src/MainWindow.cpp
+++ b/src/MainWindow.cpp
@@ -605,7 +605,7 @@ void MainWindow::deleteObject()
                             QMessageBox::Yes, QMessageBox::No | QMessageBox::Default | QMessageBox::Escape) == QMessageBox::Yes)
     {
         // Delete the table
-        QString statement = QString("DROP %1 %2;").arg(type.toUpper()).arg(table);
+        QString statement = QString("DROP %1 `%2`;").arg(type.toUpper()).arg(table);
         if(!db.executeSQL( statement))
         {
             QString error = QString("Error: could not delete the %1. Message from database engine:\n%2").arg(type).arg(db.lastErrorMessage);
diff --git a/src/sqlbrowser_util.c b/src/sqlbrowser_util.c
index c10ca07f..49b8fbe4 100644
--- a/src/sqlbrowser_util.c
+++ b/src/sqlbrowser_util.c
@@ -287,7 +287,7 @@ static int dump_callback(void *pArg, int nArg, char **azArg, char **azCol){
     d2.mode = MODE_Insert;
     d2.zDestTable = 0;
     set_table_name(&d2, azArg[0]);
-    stmt = sqlite3_mprintf("SELECT * FROM '%q'", azArg[0]);
+    stmt = sqlite3_mprintf("SELECT * FROM `%q`", azArg[0]);
     sqlite3_exec(p->db,stmt, callback, &d2, 0);
     sqlite3_free(stmt);
     set_table_name(&d2, 0);
diff --git a/src/sqlitedb.cpp b/src/sqlitedb.cpp
index 3317722d..f480fbeb 100644
--- a/src/sqlitedb.cpp
+++ b/src/sqlitedb.cpp
@@ -309,9 +309,7 @@ bool DBBrowserDB::addRecord ( )
     int fields = browseFields.count();
     QString emptyvalue = curNewData;
 
-    QString statement = "INSERT INTO ";
-    statement.append(GetEncodedQString(curBrowseTableName));
-    statement.append(" VALUES(");
+    QString statement = QString("INSERT INTO `%1` VALUES(").arg(GetEncodedQString(curBrowseTableName));
     for ( int i=1; i<=fields; i++ ) {
         statement.append(emptyvalue);
         if (i<fields) statement.append(", ");
@@ -343,11 +341,7 @@ bool DBBrowserDB::deleteRecord( int wrow)
     QString& rowid = rt[0];
     lastErrorMessage = QString("no error");
     
-    QString statement = "DELETE FROM ";
-    statement.append(GetEncodedQString(curBrowseTableName));
-    statement.append(" WHERE rowid=");
-    statement.append(rowid);
-    statement.append(";");
+    QString statement = QString("DELETE FROM `%1` WHERE rowid=%2;").arg(GetEncodedQString(curBrowseTableName)).arg(rowid);
 
     if (_db){
         logSQL(statement, kLogMsg_App);
@@ -376,11 +370,7 @@ bool DBBrowserDB::updateRecord(int wrow, int wcol, const QString & wtext)
     QString& cv = rt[wcol+1];//must account for rowid
     QString ct = browseFields.at(wcol);
     
-    QString statement = "UPDATE ";
-    statement.append(GetEncodedQString(curBrowseTableName));
-    statement.append(" SET ");
-    statement.append(GetEncodedQString(ct));
-    statement.append("=");
+    QString statement = QString("UPDATE `%1` SET `%2`=").arg(GetEncodedQString(curBrowseTableName)).arg(ct);
 
     QString wenc = GetEncodedQString(wtext);
     char * formSQL = sqlite3_mprintf("%Q", wenc.toUtf8().constData());
@@ -405,10 +395,8 @@ bool DBBrowserDB::updateRecord(int wrow, int wcol, const QString & wtext)
     }
 
     return ok;
-
 }
 
-
 bool DBBrowserDB::browseTable( const QString & tablename, const QString& orderby )
 {
     QStringList testFields = getTableFields( tablename );
@@ -461,12 +449,7 @@ void DBBrowserDB::getTableRecords( const QString & tablename, const QString& ord
     idmap.clear();
     lastErrorMessage = QString("no error");
 
-    QString statement = "SELECT rowid, *  FROM ";
-    statement.append( GetEncodedQString(tablename) );
-    statement.append(" ORDER BY ");
-    statement.append(orderby);
-    statement.append(";");
-    //qDebug(statement);
+    QString statement = QString("SELECT rowid, *  FROM `%1` ORDER BY %2;").arg(GetEncodedQString(tablename)).arg(orderby);
     logSQL(statement, kLogMsg_App);
     err=sqlite3_prepare(_db,statement.toUtf8(),statement.length(),
                         &vm, &tail);
@@ -688,9 +671,7 @@ void DBBrowserDB::updateSchema( )
     {
         if((*it).gettype() == "table" || (*it).gettype() == "view")
         {
-            statement = "PRAGMA TABLE_INFO(";
-            statement.append( (*it).getname());
-            statement.append(");");
+            statement = QString("PRAGMA TABLE_INFO(`%1`);").arg((*it).getname());
             logSQL(statement, kLogMsg_App);
             err=sqlite3_prepare(_db,statement.toUtf8(),statement.length(),
                                 &vm, &tail);