--- mqtt/src/accmqtt.c	2012/05/27 10:12:48	1.2.2.5
+++ mqtt/src/accmqtt.c	2012/07/03 09:02:50	1.3
@@ -101,7 +101,7 @@ mqtt_rtlm_login(cfg_root_t *cfg, sqlite3 *sql, const c
 	/* insert into Users values (NULL, "", "", 1, strftime('%s','now')); */
 	int ret = 0;
 	sqlite3_stmt *stmt;
-	char *str, szStmt[BUFSIZ] = { 0 };
+	char *str, *psStmt;
 
 	if (!sql)
 		return -1;
@@ -111,13 +111,15 @@ mqtt_rtlm_login(cfg_root_t *cfg, sqlite3 *sql, const c
 		mqtt_rtlm_log("Error:: not found users table name");
 		return -1;
 	}
-	snprintf(szStmt, sizeof szStmt, "SELECT DISTINCT Username, Password, Access FROM %s "
-			"WHERE Username = '%s' AND Password = '%s' AND Access > 0;", str, user, pass);
+	psStmt = sqlite3_mprintf("SELECT DISTINCT Username, Password, Access FROM %s "
+			"WHERE Username = '%q' AND Password = '%q' AND Access > 0;", str, user, pass);
 
-	if (sqlite3_prepare_v2(sql, szStmt, strlen(szStmt), &stmt, NULL)) {
+	if (sqlite3_prepare_v2(sql, psStmt, strlen(psStmt), &stmt, NULL)) {
 		MQTT_RTLM_LOG(sql);
+		sqlite3_free(psStmt);
 		return -1;
-	}
+	} else
+		sqlite3_free(psStmt);
 	while (sqlite3_step(stmt) == SQLITE_ROW) {
 		if (sqlite3_data_count(stmt) < 1)
 			ret = 0;