Add calibredb-sanitize-filter to handle quote

chenyanming · Jul 14, 2024 · bb9cfb5 · bb9cfb5
1 parent 2bcf91e
commit bb9cfb5
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/calibredb-search.el b/calibredb-search.el
@@ -867,11 +867,18 @@ ebook record will be shown.
 (defvar calibredb-search-pages 0
   "The number of pages in the current search result.")
 
+(defun calibredb-sanitize-filter (filter)
+  "Sanitize FILTER for use in SQL queries by escaping special characters."
+  (let ((sanitized filter))
+    ;; Escape single quotes by doubling them
+    (setq sanitized (replace-regexp-in-string "'" "''" sanitized))
+    sanitized))
+
 (defun calibredb-search-candidates (filter &rest properties)
   "Generate ebook candidate alist.
 Argument: FILTER is the filter string.
 Argument: PROPERTIES is the addiontal parameters."
-  (let* ((words (split-string filter " "))
+  (let* ((words (split-string (calibredb-sanitize-filter filter) " "))
          (limit (plist-get properties :limit))
          (count (plist-get properties :count))
          (page (plist-get properties :page)))