Escape SQLite wildcards when using LIKE clause

src/lib/navigation/completer/locationcompleterrefreshjob.cpp

@@ -22,6 +22,7 @@
 #include "sqldatabase.h"
 #include "qzsettings.h"
 #include "bookmarks.h"
+#include "qztools.h"
 
 #include <QDateTime>
 
@@ -96,12 +97,13 @@ void LocationCompleterRefreshJob::runJob()
 
     // Load all icons into QImage
     QSqlQuery query;
-    query.prepare(QSL("SELECT icon FROM icons WHERE url LIKE ? LIMIT 1"));
+    query.prepare(QSL("SELECT icon FROM icons WHERE url LIKE ? ESCAPE ? LIMIT 1"));
 
     foreach (QStandardItem* item, m_items) {
         const QUrl url = item->data(LocationCompleterModel::UrlRole).toUrl();
 
-        query.bindValue(0, QString(QL1S("%1%")).arg(QString::fromUtf8(url.toEncoded(QUrl::RemoveFragment))));
+        query.bindValue(0, QString(QL1S("%1%")).arg(QzTools::escapeSqlString(QString::fromUtf8(url.toEncoded(QUrl::RemoveFragment)))));
+        query.bindValue(1, QL1S("!"));
         QSqlQuery res = SqlDatabase::instance()->exec(query);
 
         if (res.next()) {

src/lib/other/iconchooser.cpp

@@ -65,8 +65,9 @@ void IconChooser::searchIcon(const QString &string)
     ui->iconList->clear();
 
     QSqlQuery query;
-    query.prepare("SELECT icon FROM icons WHERE url LIKE ? LIMIT 20");
-    query.bindValue(0, QString("%%1%").arg(string));
+    query.prepare(QSL("SELECT icon FROM icons WHERE url LIKE ? ESCAPE ? LIMIT 20"));
+    query.bindValue(0, QString(QL1S("%%1%")).arg(QzTools::escapeSqlString(string)));
+    query.bindValue(1, QL1S("!"));
     query.exec();
 
     while (query.next()) {

src/lib/tools/iconprovider.cpp

@@ -20,6 +20,7 @@
 #include "sqldatabase.h"
 #include "autosaver.h"
 #include "webview.h"
+#include "qztools.h"
 
 #include <QTimer>
 #include <QBuffer>
@@ -168,8 +169,10 @@ QImage IconProvider::imageForUrl(const QUrl &url)
     }
 
     QSqlQuery query;
-    query.prepare("SELECT icon FROM icons WHERE url LIKE ? LIMIT 1");
-    query.addBindValue(QString("%1%").arg(QString::fromUtf8(url.toEncoded(QUrl::RemoveFragment))));
+    query.prepare(QSL("SELECT icon FROM icons WHERE url LIKE ? ESCAPE ? LIMIT 1"));
+
+    query.addBindValue(QString("%1%").arg(QzTools::escapeSqlString(QString::fromUtf8(url.toEncoded(QUrl::RemoveFragment)))));
+    query.addBindValue(QL1S("!"));
     query.exec();
 
     if (query.next()) {
@@ -193,8 +196,10 @@ QImage IconProvider::imageForDomain(const QUrl &url)
     }
 
     QSqlQuery query;
-    query.prepare("SELECT icon FROM icons WHERE url LIKE ? LIMIT 1");
-    query.addBindValue(QString("%%1%").arg(url.host()));
+    query.prepare(QSL("SELECT icon FROM icons WHERE url LIKE ? ESCAPE ? LIMIT 1"));
+
+    query.addBindValue(QString("%%1%").arg(QzTools::escapeSqlString(url.host())));
+    query.addBindValue(QL1S("!"));
     query.exec();
 
     if (query.next()) {

src/lib/tools/qztools.cpp

@@ -195,6 +195,16 @@ QString QzTools::urlEncodeQueryString(const QUrl &url)
     return returnString;
 }
 
+QString QzTools::escapeSqlString(QString urlString)
+{
+    const static QString &escapeString = QL1S("!");
+    urlString.replace(escapeString, escapeString + escapeString);
+    urlString.replace(QL1S("_"), escapeString + QL1S("_"));
+    urlString.replace(QL1S("%"), escapeString + QL1S("%"));
+
+    return urlString;
+}
+
 QString QzTools::ensureUniqueFilename(const QString &name, const QString &appendFormat)
 {
     if (!QFile::exists(name)) {

src/lib/tools/qztools.h

@@ -46,6 +46,7 @@ public:
 
     static QString samePartOfStrings(const QString &one, const QString &other);
     static QString urlEncodeQueryString(const QUrl &url);
+    static QString escapeSqlString(QString urlString);
 
     static QString ensureUniqueFilename(const QString &name, const QString &appendFormat = QString("(%1)"));
     static QString getFileNameFromUrl(const QUrl &url);