Add some more DB escape function calls

1 files changed, 8 insertions, 8 deletions

diff --git a/kamailio-model.lua b/kamailio-model.lua
index 9d8d495..b015c35 100644
--- a/kamailio-model.lua
+++ b/kamailio-model.lua
@@ -116,7 +116,7 @@ end
 local listcolumns = function(table)
 	local result = {}
 	if DBENGINE == "PGSQL" then
-		local col = getselectresponse("SELECT a.attname AS field FROM pg_class c, pg_attribute a, pg_type t WHERE c.relname = '"..table.."' AND a.attnum > 0 AND a.attrelid = c.oid AND a.atttypid = t.oid ORDER BY a.attnum")
+		local col = getselectresponse("SELECT a.attname AS field FROM pg_class c, pg_attribute a, pg_type t WHERE c.relname = '"..escape(table).."' AND a.attnum > 0 AND a.attrelid = c.oid AND a.atttypid = t.oid ORDER BY a.attnum")
 		for i,c in ipairs(col) do
 			result[#result+1] = c.field
 		end
@@ -225,7 +225,7 @@ function list_users()
 		end
 	end
 	table.sort(results, function(a,b) return a.username < b.username end)
-	return cfe({type="list", value=results, label="Kamailio Users"})
+	return cfe({type="list", value=results, label="Kamailio Users", errtxt=errtxt})
 end
 
 function get_new_user()
@@ -322,7 +322,7 @@ function list_table_entries(table)
 			if t == table then
 				retval.table.errtxt = nil
 				errtxt = nil
-				retval.entries.value = getselectresponse("SELECT * FROM "..table.." ORDER BY id ASC") or {}
+				retval.entries.value = getselectresponse("SELECT * FROM "..escape(table).." ORDER BY id ASC") or {}
 				retval.fields.value = listcolumns(table) or {}
 			end
 		end
@@ -380,7 +380,7 @@ function get_table_entry(self, clientdata)
 				retval.value.id.value = clientdata.id or ""
 				retval.value.id.errtxt = "Entry does not exist"
 				if clientdata.id and clientdata.id ~= "" then
-					local entry = getselectresponse("SELECT * FROM "..clientdata.table.." WHERE id='"..escape(clientdata.id).."'")
+					local entry = getselectresponse("SELECT * FROM "..escape(clientdata.table).." WHERE id='"..escape(clientdata.id).."'")
 					if entry and #entry > 0 then
 						for n,v in pairs(entry[1]) do
 							if retval.value[n] then retval.value[n].value = v end
@@ -438,7 +438,7 @@ function update_table_entry(self, entry, action, create)
 				end
 			end
 			if success and not create then
-				local sql = "SELECT * FROM "..entry.value.table.value.." WHERE id='"..escape(entry.value.id.value).."'"
+				local sql = "SELECT * FROM "..escape(entry.value.table.value).." WHERE id='"..escape(entry.value.id.value).."'"
 				local tmp = getselectresponse(sql)
 				if not tmp or #tmp == 0 then
 					success = false
@@ -451,12 +451,12 @@ function update_table_entry(self, entry, action, create)
 				local values = {}
 				for n,v in pairs(entry.value) do
 					if n ~= "table" and n ~= "id" then
-						names[#names+1] = n
+						names[#names+1] = escape(n)
 						values[#values+1] = escape(v.value)
 					end
 				end
 				if create then
-					sql = "INSERT INTO "..entry.value.table.value.." ("..table.concat(names, ", ")..") VALUES('"..table.concat(values, "', '").."')"
+					sql = "INSERT INTO "..escape(entry.value.table.value).." ("..table.concat(names, ", ")..") VALUES('"..table.concat(values, "', '").."')"
 				else
 					sql = "UPDATE "..entry.value.table.value.." SET ("..table.concat(names, ", ")..") = ('"..table.concat(values, "', '").."') WHERE id='"..escape(entry.value.id.value).."'"
 				end
@@ -504,7 +504,7 @@ function delete_table_entry(self, entry)
 				end
 			end
 			if not entry.value.table.errtxt then
-				local sql = "DELETE FROM "..entry.value.table.value.." WHERE id='"..escape(entry.value.id.value).."'"
+				local sql = "DELETE FROM "..escape(entry.value.table.value).." WHERE id='"..escape(entry.value.id.value).."'"
 				runsqlcommand(sql)
 				entry.errtxt = nil
 			end