From 7e108028ef8a40295bb7535d29779d5f80e11bec Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Tue, 18 Jun 2013 19:02:32 +0000
Subject: Add some more escape calls

Fix for alpine linux bug #2103
---
 kamailio-model.lua | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'kamailio-model.lua')

diff --git a/kamailio-model.lua b/kamailio-model.lua
index b015c35..1ba7956 100644
--- a/kamailio-model.lua
+++ b/kamailio-model.lua
@@ -458,7 +458,7 @@ function update_table_entry(self, entry, action, create)
 				if create then
 					sql = "INSERT INTO "..escape(entry.value.table.value).." ("..table.concat(names, ", ")..") VALUES('"..table.concat(values, "', '").."')"
 				else
-					sql = "UPDATE "..entry.value.table.value.." SET ("..table.concat(names, ", ")..") = ('"..table.concat(values, "', '").."') WHERE id='"..escape(entry.value.id.value).."'"
+					sql = "UPDATE "..escape(entry.value.table.value).." SET ("..table.concat(names, ", ")..") = ('"..table.concat(values, "', '").."') WHERE id='"..escape(entry.value.id.value).."'"
 				end
 				runsqlcommand(sql)
 			end
@@ -547,7 +547,7 @@ function search_database(id, value, comparison)
 			retval.result = cfe({type="structure", value={}, label="List of Rows", seq=4 })
 			local table, column = string.match(id, "^([^.]*)%.(.*)")
 			if table then
-				local sql = "SELECT * FROM "..table.." WHERE "..column..comparison.."'"..value.."'"
+				local sql = "SELECT * FROM "..escape(table).." WHERE "..escape(column)..escape(comparison).."'"..escape(value).."'"
 				retval.result.value = getselectresponse(sql)
 			end
 		end
-- 
cgit v1.2.3