diff -Naur mod_log_sql-1.101-rs2/mod_log_sql_mysql.c mod_log_sql-1.101-rs3/mod_log_sql_mysql.c --- mod_log_sql-1.101-rs2/mod_log_sql_mysql.c 2008-02-21 22:29:13.000000000 +0100 +++ mod_log_sql-1.101-rs3/mod_log_sql_mysql.c 2008-02-19 22:45:20.000000000 +0100 @@ -73,9 +73,15 @@ db->handle=NULL; } -/* Routine to escape the 'dangerous' characters that would otherwise - * corrupt the INSERT string: ', \, and " + + +/* RS: try to minimize escaping + * manually transform: + * \ => \\ + * ' => \' + * " => \" */ + static const char *log_sql_mysql_escape(const char *from_str, apr_pool_t *p, logsql_dbconnection *db) { @@ -86,35 +92,29 @@ } unsigned long length = strlen(from_str); - unsigned long retval; /* Pre-allocate a new string that could hold twice the original, which would only * happen if the whole original string was 'dangerous' characters. */ - char *to_str = (char *) apr_palloc(p, length * 2 + 1); + char *to_str = (char *) apr_palloc(p, length * 2 + 3); if (!to_str) { return from_str; } - - /* RS: first get the escaped string, then put all together with apr_pstrcat */ - - if (!db->connected) { - /* Well, I would have liked to use the current database charset. mysql is - * unavailable, however, so I fall back to the slightly less respectful - * mysql_escape_string() function that uses the default charset. - */ - retval = mysql_escape_string(to_str, from_str, length); - } else { - /* MySQL is available, so I'll go ahead and respect the current charset when - * I perform the escape. - */ - retval = mysql_real_escape_string((MYSQL *)db->handle, to_str, from_str, length); - } - - if(!retval) { - return from_str; - } - return apr_pstrcat(p,"'",to_str,"'",NULL); + + char *ptr=(char *)from_str; + unsigned long pos=0; + to_str[pos++]='\''; + + while(*ptr!=0) { + if( (*ptr=='\\') || (*ptr=='\'') || (*ptr=='\"') ) { + to_str[pos++]='\\'; + } + to_str[pos++]=*ptr; + ptr++; + } + to_str[pos++]='\''; + to_str[pos]=0; + return to_str; } #if defined(WIN32)