From: Christian Dywan <christian@twotoasts.de>
Date: Sat, 6 Dec 2008 13:35:54 +0000 (+0100)
Subject: Escape page uri and title when inserting into database
X-Git-Url: https://spindle.queued.net/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3cbe78e5ee5165b1fc0df239ac07387a07377a8c;p=midori

Escape page uri and title when inserting into database
---

diff --git a/midori/main.c b/midori/main.c
index 2bed84d5..2722f97d 100644
--- a/midori/main.c
+++ b/midori/main.c
@@ -716,13 +716,13 @@ midori_history_add_item_cb (KatzeArray* array,
             return;
         }
     }
-    sqlcmd = g_strdup_printf ("INSERT INTO history VALUES"
-                              "('%s', '%s', %" G_GUINT64_FORMAT ", -1)",
+    sqlcmd = sqlite3_mprintf ("INSERT INTO history VALUES"
+                              "('%q', '%q', %" G_GUINT64_FORMAT ", -1)",
                               katze_item_get_uri (item),
                               katze_item_get_name (item),
                               katze_item_get_added (item));
     success = db_exec (db, sqlcmd, &error);
-    g_free (sqlcmd);
+    sqlite3_free (sqlcmd);
     if (!success)
     {
         g_printerr (_("Failed to add history item: %s\n"), error->message);