diff options
| author | Ted Trask <ttrask01@yahoo.com> | 2013-10-19 18:55:21 +0000 |
|---|---|---|
| committer | Ted Trask <ttrask01@yahoo.com> | 2013-10-19 18:55:21 +0000 |
| commit | 39894fcac053775940d6a3d2259d474fb1d9b052 (patch) | |
| tree | ce3c5323d4d055fefd1a0d3d8f90902ce3d0bc8a | |
| parent | 52313309b06d8b27f9fbe731b2159323eda33b38 (diff) | |
| download | acf-freeswitch-vmail-39894fcac053775940d6a3d2259d474fb1d9b052.tar.bz2 acf-freeswitch-vmail-39894fcac053775940d6a3d2259d474fb1d9b052.tar.xz | |
Fix to use escape function from db library
| -rw-r--r-- | vmail-model.lua | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/vmail-model.lua b/vmail-model.lua index 7da14ce..2ab4793 100644 --- a/vmail-model.lua +++ b/vmail-model.lua @@ -98,22 +98,22 @@ local generatewhereclause = function(username, message, foldername, uid) local sql = "" local where = {} if username and username ~= "" then - where[#where+1] = "username = '"..escape(username).."'" + where[#where+1] = "username = '"..vmaildb.escape(username).."'" end if message and type(message) == "string" and message ~= "" then - where[#where+1] = "uuid = '"..escape(message).."'" + where[#where+1] = "uuid = '"..vmaildb.escape(message).."'" elseif message and type(message) == "table" and #message > 0 then local where2 = {} for i,m in ipairs(message) do - where2[#where2+1] = "uuid = '"..escape(m).."'" + where2[#where2+1] = "uuid = '"..vmaildb.escape(m).."'" end where[#where+1] = "(" .. table.concat(where2, " OR ") .. ")" end if foldername and foldername ~= "" then - where[#where+1] = "in_folder = '"..escape(foldername).."'" + where[#where+1] = "in_folder = '"..vmaildb.escape(foldername).."'" end if uid and uid ~= "" then - where[#where+1] = "uid = '"..escape(uid).."'" + where[#where+1] = "uid = '"..vmaildb.escape(uid).."'" end if #where > 0 then sql = " WHERE " .. table.concat(where, " AND ") @@ -209,7 +209,7 @@ local setuserparams = function(userparams) for i,parm in ipairs(params) do if parm.name and not ignoreparam[parm.name] then if userparams[parm.name] and (userparams[parm.name].value ~= nil) and tostring(userparams[parm.name].value) ~= parm.value then - sql = "INSERT INTO voicemail_values VALUES('"..escape(uid[1].uid).."', '"..escape(parm.nid).."', '"..escape(tostring(userparams[parm.name].value)).."')" + sql = "INSERT INTO voicemail_values VALUES('"..vmaildb.escape(uid[1].uid).."', '"..vmaildb.escape(parm.nid).."', '"..vmaildb.escape(tostring(userparams[parm.name].value)).."')" vmaildb.runsqlcommand(sql, true) end end @@ -221,10 +221,10 @@ local setuserparams = function(userparams) local password = vmaildb.getselectresponse(sql, true) if #password > 0 then -- update - sql = "UPDATE voicemail_prefs SET password='"..escape(userparams["vm-password"].value).."'"..generatewhereclause(userparams.username.value) + sql = "UPDATE voicemail_prefs SET password='"..vmaildb.escape(userparams["vm-password"].value).."'"..generatewhereclause(userparams.username.value) else -- insert - sql = "INSERT INTO voicemail_prefs (username, domain, password) VALUES ('"..escape(userparams.username.value).."', '"..escape(config.domain).."', '"..escape(userparams["vm-password"].value).."')" + sql = "INSERT INTO voicemail_prefs (username, domain, password) VALUES ('"..vmaildb.escape(userparams.username.value).."', '"..vmaildb.escape(config.domain).."', '"..vmaildb.escape(userparams["vm-password"].value).."')" end vmaildb.runsqlcommand(sql, true) end @@ -550,7 +550,7 @@ mymodule.move_message = function(self, moverequest) -- Check if newfolder exists if validfolder(moverequest.value.newfolder.value) then for i,m in ipairs(mess) do - local sql = "UPDATE voicemail_msgs SET in_folder='"..escape(moverequest.value.newfolder.value).."'" .. generatewhereclause(moverequest.value.username.value, messages) + local sql = "UPDATE voicemail_msgs SET in_folder='"..vmaildb.escape(moverequest.value.newfolder.value).."'" .. generatewhereclause(moverequest.value.username.value, messages) vmaildb.runsqlcommand(sql) end if #mess == 1 then @@ -739,7 +739,7 @@ mymodule.update_usersettings = function(self, usersettings, action, create) errtxt = "User does not exist" else if create then - sql = "INSERT INTO voicemail_users VALUES(null, '"..escape(usersettings.value.username.value).."')" + sql = "INSERT INTO voicemail_users VALUES(null, '"..vmaildb.escape(usersettings.value.username.value).."')" vmaildb.runsqlcommand(sql) end success,errtxt = setuserparams(usersettings.value) |