diff options
| author | Ted Trask <ttrask01@yahoo.com> | 2013-05-31 03:17:03 +0000 |
|---|---|---|
| committer | Ted Trask <ttrask01@yahoo.com> | 2013-06-18 20:49:14 +0000 |
| commit | d23608d8e2aef4fc14eda639813b2e3fbc5b6b13 (patch) | |
| tree | 0ce7f5c420887debefcd81331124f3fa187c2397 | |
| parent | b6e861f75f6beb8fbf56d8f48dbce0b52beb251d (diff) | |
| download | acf-kamailio-d23608d8e2aef4fc14eda639813b2e3fbc5b6b13.tar.bz2 acf-kamailio-d23608d8e2aef4fc14eda639813b2e3fbc5b6b13.tar.xz | |
Add some more DB escape function calls
(cherry picked from commit 8f3961970e5c2d88a8e4bb960ad341ede67bc98d)
Conflicts:
kamailio-model.lua
| -rw-r--r-- | kamailio-model.lua | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/kamailio-model.lua b/kamailio-model.lua index dc9daac..a6ab96c 100644 --- a/kamailio-model.lua +++ b/kamailio-model.lua @@ -117,7 +117,7 @@ end local listcolumns = function(table) local result = {} if DBENGINE == "PGSQL" then - local col = getselectresponse("SELECT a.attname AS field FROM pg_class c, pg_attribute a, pg_type t WHERE c.relname = '"..table.."' AND a.attnum > 0 AND a.attrelid = c.oid AND a.atttypid = t.oid ORDER BY a.attnum") + local col = getselectresponse("SELECT a.attname AS field FROM pg_class c, pg_attribute a, pg_type t WHERE c.relname = '"..escape(table).."' AND a.attnum > 0 AND a.attrelid = c.oid AND a.atttypid = t.oid ORDER BY a.attnum") for i,c in ipairs(col) do result[#result+1] = c.field end @@ -232,7 +232,7 @@ function list_users() end end table.sort(results, function(a,b) return a.username < b.username end) - return cfe({type="list", value=results, label="Kamailio Users"}) + return cfe({type="list", value=results, label="Kamailio Users", errtxt=errtxt}) end function get_new_user() @@ -329,7 +329,7 @@ function list_table_entries(table) if t == table then retval.table.errtxt = nil errtxt = nil - retval.entries.value = getselectresponse("SELECT * FROM "..table.." ORDER BY id ASC") or {} + retval.entries.value = getselectresponse("SELECT * FROM "..escape(table).." ORDER BY id ASC") or {} retval.fields.value = listcolumns(table) or {} end end @@ -363,7 +363,7 @@ function get_table_entry(table, id) retval[f] = cfe({ label=f, seq=i }) end if id and id ~= "" then - local entry = getselectresponse("SELECT * FROM "..table.." WHERE id='"..escape(id).."'") + local entry = getselectresponse("SELECT * FROM "..escape(clientdata.table).." WHERE id='"..escape(clientdata.id).."'") if entry and #entry > 0 then for n,v in pairs(entry[1]) do if retval[n] then retval[n].value = v end @@ -416,7 +416,7 @@ function update_table_entry(entry, create) end end if success and not create then - local sql = "SELECT * FROM "..entry.value.table.value.." WHERE id='"..escape(entry.value.id.value).."'" + local sql = "SELECT * FROM "..escape(entry.value.table.value).." WHERE id='"..escape(entry.value.id.value).."'" local tmp = getselectresponse(sql) if not tmp or #tmp == 0 then success = false @@ -428,12 +428,12 @@ function update_table_entry(entry, create) local values = {} for n,v in pairs(entry.value) do if n ~= "table" and n ~= "id" then - names[#names+1] = n + names[#names+1] = escape(n) values[#values+1] = escape(v.value) end end if create then - sql = "INSERT INTO "..entry.value.table.value.." ("..table.concat(names, ", ")..") VALUES('"..table.concat(values, "', '").."')" + sql = "INSERT INTO "..escape(entry.value.table.value).." ("..table.concat(names, ", ")..") VALUES('"..table.concat(values, "', '").."')" else sql = "UPDATE "..entry.value.table.value.." SET ("..table.concat(names, ", ")..") = ('"..table.concat(values, "', '").."') WHERE id='"..escape(entry.value.id.value).."'" end @@ -475,7 +475,7 @@ function delete_table_entry(table, id) end end if not errtxt then - local sql = "DELETE FROM "..table.." WHERE id='"..escape(id).."'" + local sql = "DELETE FROM "..escape(entry.value.table.value).." WHERE id='"..escape(entry.value.id.value).."'" runsqlcommand(sql) result = "Entry Deleted" end |