Index: picedit.c ================================================================== --- picedit.c +++ picedit.c @@ -20,10 +20,19 @@ typedef struct { Uint8 size,meth; Uint8 data[0]; // the first row is all 0, since the compression algorithm requires this } Picture; + +static void fn_valid_name(sqlite3_context*cxt,int argc,sqlite3_value**argv) { + const char*s=sqlite3_value_text(*argv); + if(!s || !*s || s[strspn(s,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_-0123456789")]) { + sqlite3_result_error(cxt,"Invalid name",-1); + return; + } + sqlite3_result_value(cxt,*argv); +} static int load_picture_file(void) { sqlite3_stmt*st=0; FILE*fp; char*nam; @@ -923,11 +932,11 @@ static int add_picture(int t) { sqlite3_stmt*st; const char*s=screen_prompt("Enter name of new picture:"); int i; if(!s || !*s) return 0; - if(sqlite3_prepare_v2(userdb,"INSERT INTO `PICEDIT`(`NAME`,`TYPE`,`DATA`) SELECT REPLACE(?1||'.IMG','.IMG.IMG','.IMG'),1,X'';",-1,&st,0)) { + if(sqlite3_prepare_v2(userdb,"INSERT INTO `PICEDIT`(`NAME`,`TYPE`,`DATA`) SELECT VALID_NAME(?1)||'.IMG',1,X'';",-1,&st,0)) { screen_message(sqlite3_errmsg(userdb)); return 0; } sqlite3_bind_text(st,1,s,-1,0); i=sqlite3_step(st); @@ -943,11 +952,11 @@ static int delete_picture(void) { sqlite3_stmt*st; const char*s=screen_prompt("Enter name of picture to delete:"); int i; if(!s || !*s) return 0; - if(sqlite3_prepare_v2(userdb,"DELETE FROM `PICEDIT` WHERE `NAME`=REPLACE(?1||'.IMG','.IMG.IMG','.IMG');",-1,&st,0)) { + if(sqlite3_prepare_v2(userdb,"DELETE FROM `PICEDIT` WHERE `NAME`=?1||'.IMG';",-1,&st,0)) { screen_message(sqlite3_errmsg(userdb)); return 0; } sqlite3_bind_text(st,1,s,-1,0); i=sqlite3_step(st); @@ -962,11 +971,11 @@ static void rename_picture(void) { sqlite3_stmt*st; const char*s=screen_prompt("Old name:"); int i; if(!s || !*s) return; - if(sqlite3_prepare_v2(userdb,"UPDATE `PICEDIT` SET `NAME`=REPLACE(?2||'.IMG','.IMG.IMG','.IMG') WHERE `NAME`=?1||'.IMG';",-1,&st,0)) { + if(sqlite3_prepare_v2(userdb,"UPDATE `PICEDIT` SET `NAME`=VALID_NAME(?2)||'.IMG' WHERE `NAME`=?1||'.IMG';",-1,&st,0)) { screen_message(sqlite3_errmsg(userdb)); return; } sqlite3_bind_text(st,1,s,-1,SQLITE_TRANSIENT); s=screen_prompt("New name:"); @@ -992,10 +1001,11 @@ SDL_Rect r; sqlite3_stmt*st; int sc=0; int max=load_picture_file(); int i,n; + sqlite3_create_function(userdb,"VALID_NAME",1,SQLITE_UTF8|SQLITE_DETERMINISTIC,0,fn_valid_name,0,0); init_palette(); optionquery[1]=Q_imageSize; picture_size=strtol(xrm_get_resource(resourcedb,optionquery,optionquery,2)?:"16",0,10); set_cursor(XC_arrow); set_caption();