diff options
author | Ted Trask <ttrask01@yahoo.com> | 2013-05-25 02:13:54 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2013-05-25 20:06:05 +0000 |
commit | 2acd6caf383e18be4d12b6b7ba6344406c590fb1 (patch) | |
tree | 60d9acd68447527ebfe9c8a4bb020b4a93bd0564 | |
parent | e835876a10ffcf6a0cf84aa891924648498e0bf5 (diff) | |
download | acf-provisioning-2acd6caf383e18be4d12b6b7ba6344406c590fb1.tar.bz2 acf-provisioning-2acd6caf383e18be4d12b6b7ba6344406c590fb1.tar.xz |
Added some more SQL escape calls just to be safe
(cherry picked from commit 4912561d5332a96bc1921ca3a76ba74f8d118306)
-rw-r--r-- | provisioning-model.lua | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/provisioning-model.lua b/provisioning-model.lua index b2845eb..f8815f3 100644 --- a/provisioning-model.lua +++ b/provisioning-model.lua @@ -115,7 +115,7 @@ local databaseconnect = function() -- Let's create all the tables from the start for n,v in pairs(table_creation_scripts) do if not string.match(n, "^_") then - runsqlcommand("SELECT * FROM "..n.." LIMIT 1") + runsqlcommand("SELECT * FROM "..escape(n).." LIMIT 1") end end end @@ -962,7 +962,7 @@ update_group = function(group, create) else sql = sql.."null" end - sql = sql..", '"..tostring(reverseeditable[p] ~= nil).."')" + sql = sql..", '"..escape(tostring(reverseeditable[p] ~= nil)).."')" runsqlcommand(sql, true) end @@ -1658,8 +1658,8 @@ search_device_values = function(search) sql = "SELECT d2t.device_id, " local group, param = string.match(search.value.id.value, "([^%.]*)%.(.*)") if not group then - sql = sql.."'"..search.value.id.value.."' AS param, d2t."..search.value.id.value.." AS value FROM devices_to_classes d2t WHERE d2t."..search.value.id.value.. - search.value.comparison.value.."'"..escape(search.value.value.value).."' GROUP BY device_id" + sql = sql.."'"..escape(search.value.id.value).."' AS param, d2t."..escape(search.value.id.value).." AS value FROM devices_to_classes d2t WHERE d2t."..escape(search.value.id.value).. + escape(search.value.comparison.value).."'"..escape(search.value.value.value).."' GROUP BY device_id" else sql = sql.."g.name as group, p.name as param, CASE WHEN v.value IS NOT NULL THEN v.value WHEN g2p.value IS NOT NULL THEN g2p.value ELSE p.value END as value FROM ".. "devices_to_classes d2t JOIN provisioning_classes t USING(class_id) JOIN classes_to_param_groups t2g USING(class_id) ".. @@ -1670,7 +1670,7 @@ search_device_values = function(search) else sql = sql.."WHERE" end - sql = sql.." p.name='"..escape(param).."' AND CASE WHEN v.value IS NOT NULL THEN v.value WHEN g2p.value IS NOT NULL THEN g2p.value ELSE p.value END"..search.value.comparison.value.."'"..escape(search.value.value.value).."'" + sql = sql.." p.name='"..escape(param).."' AND CASE WHEN v.value IS NOT NULL THEN v.value WHEN g2p.value IS NOT NULL THEN g2p.value ELSE p.value END"..escape(search.value.comparison.value).."'"..escape(search.value.value.value).."'" end sql = sql.." ORDER BY d2t.device_id ASC" search.value.result.value = getselectresponse(sql) @@ -1837,15 +1837,15 @@ function dump_database(db) sql = "SELECT label FROM devices_to_classes JOIN provisioning_classes USING(class_id) WHERE device_id='"..escape(d.device_id).."'" tmp = getselectresponse(sql) for j,t in ipairs(tmp) do - lines[#lines+1] = "INSERT INTO devices_to_classes VALUES("..i..", (SELECT class_id FROM provisioning_classes WHERE label='"..escape(t.label).."'));" + lines[#lines+1] = "INSERT INTO devices_to_classes VALUES("..escape(i)..", (SELECT class_id FROM provisioning_classes WHERE label='"..escape(t.label).."'));" end sql = "SELECT group_name, p.name AS param, v.value FROM provisioning_values v JOIN provisioning_params p USING(param_id) WHERE device_id='"..escape(d.device_id).."'" tmp = getselectresponse(sql) for j,t in ipairs(tmp) do - lines[#lines+1] = "INSERT INTO provisioning_values VALUES("..i..", '"..escape(t.group_name).."', (SELECT param_id FROM provisioning_params WHERE name='"..escape(t.param).."'), '"..t.value.."');" + lines[#lines+1] = "INSERT INTO provisioning_values VALUES("..escape(i)..", '"..escape(t.group_name).."', (SELECT param_id FROM provisioning_params WHERE name='"..escape(t.param).."'), '"..escape(t.value).."');" end end - lines[#lines+1] = "SELECT pg_catalog.setval('provisioning_device_seq', "..#devices..", true);" + lines[#lines+1] = "SELECT pg_catalog.setval('provisioning_device_seq', "..escape(#devices)..", true);" end db.value.data = cfe({ type="longtext", value=table.concat(lines, "\n") or "", label="Database Values" }) if connected then databasedisconnect() end |