From 8f3961970e5c2d88a8e4bb960ad341ede67bc98d Mon Sep 17 00:00:00 2001 From: Ted Trask Date: Fri, 31 May 2013 03:17:03 +0000 Subject: Add some more DB escape function calls --- kamailio-model.lua | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/kamailio-model.lua b/kamailio-model.lua index 9d8d495..b015c35 100644 --- a/kamailio-model.lua +++ b/kamailio-model.lua @@ -116,7 +116,7 @@ end local listcolumns = function(table) local result = {} if DBENGINE == "PGSQL" then - local col = getselectresponse("SELECT a.attname AS field FROM pg_class c, pg_attribute a, pg_type t WHERE c.relname = '"..table.."' AND a.attnum > 0 AND a.attrelid = c.oid AND a.atttypid = t.oid ORDER BY a.attnum") + local col = getselectresponse("SELECT a.attname AS field FROM pg_class c, pg_attribute a, pg_type t WHERE c.relname = '"..escape(table).."' AND a.attnum > 0 AND a.attrelid = c.oid AND a.atttypid = t.oid ORDER BY a.attnum") for i,c in ipairs(col) do result[#result+1] = c.field end @@ -225,7 +225,7 @@ function list_users() end end table.sort(results, function(a,b) return a.username < b.username end) - return cfe({type="list", value=results, label="Kamailio Users"}) + return cfe({type="list", value=results, label="Kamailio Users", errtxt=errtxt}) end function get_new_user() @@ -322,7 +322,7 @@ function list_table_entries(table) if t == table then retval.table.errtxt = nil errtxt = nil - retval.entries.value = getselectresponse("SELECT * FROM "..table.." ORDER BY id ASC") or {} + retval.entries.value = getselectresponse("SELECT * FROM "..escape(table).." ORDER BY id ASC") or {} retval.fields.value = listcolumns(table) or {} end end @@ -380,7 +380,7 @@ function get_table_entry(self, clientdata) retval.value.id.value = clientdata.id or "" retval.value.id.errtxt = "Entry does not exist" if clientdata.id and clientdata.id ~= "" then - local entry = getselectresponse("SELECT * FROM "..clientdata.table.." WHERE id='"..escape(clientdata.id).."'") + local entry = getselectresponse("SELECT * FROM "..escape(clientdata.table).." WHERE id='"..escape(clientdata.id).."'") if entry and #entry > 0 then for n,v in pairs(entry[1]) do if retval.value[n] then retval.value[n].value = v end @@ -438,7 +438,7 @@ function update_table_entry(self, entry, action, create) end end if success and not create then - local sql = "SELECT * FROM "..entry.value.table.value.." WHERE id='"..escape(entry.value.id.value).."'" + local sql = "SELECT * FROM "..escape(entry.value.table.value).." WHERE id='"..escape(entry.value.id.value).."'" local tmp = getselectresponse(sql) if not tmp or #tmp == 0 then success = false @@ -451,12 +451,12 @@ function update_table_entry(self, entry, action, create) local values = {} for n,v in pairs(entry.value) do if n ~= "table" and n ~= "id" then - names[#names+1] = n + names[#names+1] = escape(n) values[#values+1] = escape(v.value) end end if create then - sql = "INSERT INTO "..entry.value.table.value.." ("..table.concat(names, ", ")..") VALUES('"..table.concat(values, "', '").."')" + sql = "INSERT INTO "..escape(entry.value.table.value).." ("..table.concat(names, ", ")..") VALUES('"..table.concat(values, "', '").."')" else sql = "UPDATE "..entry.value.table.value.." SET ("..table.concat(names, ", ")..") = ('"..table.concat(values, "', '").."') WHERE id='"..escape(entry.value.id.value).."'" end @@ -504,7 +504,7 @@ function delete_table_entry(self, entry) end end if not entry.value.table.errtxt then - local sql = "DELETE FROM "..entry.value.table.value.." WHERE id='"..escape(entry.value.id.value).."'" + local sql = "DELETE FROM "..escape(entry.value.table.value).." WHERE id='"..escape(entry.value.id.value).."'" runsqlcommand(sql) entry.errtxt = nil end -- cgit v1.2.3