diff options
| author | Ted Trask <ttrask01@yahoo.com> | 2013-05-13 15:21:59 +0000 |
|---|---|---|
| committer | Ted Trask <ttrask01@yahoo.com> | 2013-05-13 15:21:59 +0000 |
| commit | 2867a4906ce08345409ce5599c003e3b6ad0b26b (patch) | |
| tree | 0b3d7c9ae49552a88a458a961d0241fa4a8972fd | |
| parent | b76527b8ea03a9f005857fc4d9e514c2dcb2f970 (diff) | |
| download | acf-freeswitch-vmail-2867a4906ce08345409ce5599c003e3b6ad0b26b.tar.bz2 acf-freeswitch-vmail-2867a4906ce08345409ce5599c003e3b6ad0b26b.tar.xz | |
Modified escape function and used it in more places
| -rw-r--r-- | vmail-model.lua | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/vmail-model.lua b/vmail-model.lua index 5239c04..b91b4eb 100644 --- a/vmail-model.lua +++ b/vmail-model.lua @@ -102,7 +102,7 @@ end -- Escape special characters in sql statements local escape = function(sql) sql = sql or "" - return string.gsub(sql, "'", "''") + return con:escape(sql) end local databaseconnect = function() @@ -294,7 +294,7 @@ local setuserparams = function(userparams) for i,parm in ipairs(params) do if parm.name and not ignoreparam[parm.name] then if userparams[parm.name] and (userparams[parm.name].value ~= nil) and tostring(userparams[parm.name].value) ~= parm.value then - sql = "INSERT INTO voicemail_values VALUES('"..uid[1].uid.."', '"..parm.nid.."', '"..tostring(userparams[parm.name].value).."')" + sql = "INSERT INTO voicemail_values VALUES('"..escape(uid[1].uid).."', '"..escape(parm.nid).."', '"..escape(tostring(userparams[parm.name].value)).."')" runsqlcommand(sql) end end @@ -306,10 +306,10 @@ local setuserparams = function(userparams) local password = getselectresponse(sql) if #password > 0 then -- update - sql = "UPDATE voicemail_prefs SET password='"..userparams["vm-password"].value.."'"..generatewhereclause(userparams.username.value) + sql = "UPDATE voicemail_prefs SET password='"..escape(userparams["vm-password"].value).."'"..generatewhereclause(userparams.username.value) else -- insert - sql = "INSERT INTO voicemail_prefs (username, domain, password) VALUES ('"..userparams.username.value.."', '"..config.domain.."', '"..userparams["vm-password"].value.."')" + sql = "INSERT INTO voicemail_prefs (username, domain, password) VALUES ('"..escape(userparams.username.value).."', '"..escape(config.domain).."', '"..escape(userparams["vm-password"].value).."')" end runsqlcommand(sql) end @@ -635,7 +635,7 @@ move_message = function(self, moverequest) -- Check if newfolder exists if validfolder(moverequest.value.newfolder.value) then for i,m in ipairs(mess) do - local sql = "UPDATE voicemail_msgs SET in_folder='"..moverequest.value.newfolder.value.."'" .. generatewhereclause(moverequest.value.username.value, messages) + local sql = "UPDATE voicemail_msgs SET in_folder='"..escape(moverequest.value.newfolder.value).."'" .. generatewhereclause(moverequest.value.username.value, messages) runsqlcommand(sql) end if #mess == 1 then |