summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTed Trask <ttrask01@yahoo.com>2013-05-25 02:13:54 +0000
committerTed Trask <ttrask01@yahoo.com>2013-05-25 20:06:05 +0000
commit2acd6caf383e18be4d12b6b7ba6344406c590fb1 (patch)
tree60d9acd68447527ebfe9c8a4bb020b4a93bd0564
parente835876a10ffcf6a0cf84aa891924648498e0bf5 (diff)
downloadacf-provisioning-2acd6caf383e18be4d12b6b7ba6344406c590fb1.tar.bz2
acf-provisioning-2acd6caf383e18be4d12b6b7ba6344406c590fb1.tar.xz
Added some more SQL escape calls just to be safe
(cherry picked from commit 4912561d5332a96bc1921ca3a76ba74f8d118306)
-rw-r--r--provisioning-model.lua16
1 files changed, 8 insertions, 8 deletions
diff --git a/provisioning-model.lua b/provisioning-model.lua
index b2845eb..f8815f3 100644
--- a/provisioning-model.lua
+++ b/provisioning-model.lua
@@ -115,7 +115,7 @@ local databaseconnect = function()
-- Let's create all the tables from the start
for n,v in pairs(table_creation_scripts) do
if not string.match(n, "^_") then
- runsqlcommand("SELECT * FROM "..n.." LIMIT 1")
+ runsqlcommand("SELECT * FROM "..escape(n).." LIMIT 1")
end
end
end
@@ -962,7 +962,7 @@ update_group = function(group, create)
else
sql = sql.."null"
end
- sql = sql..", '"..tostring(reverseeditable[p] ~= nil).."')"
+ sql = sql..", '"..escape(tostring(reverseeditable[p] ~= nil)).."')"
runsqlcommand(sql, true)
end
@@ -1658,8 +1658,8 @@ search_device_values = function(search)
sql = "SELECT d2t.device_id, "
local group, param = string.match(search.value.id.value, "([^%.]*)%.(.*)")
if not group then
- sql = sql.."'"..search.value.id.value.."' AS param, d2t."..search.value.id.value.." AS value FROM devices_to_classes d2t WHERE d2t."..search.value.id.value..
- search.value.comparison.value.."'"..escape(search.value.value.value).."' GROUP BY device_id"
+ sql = sql.."'"..escape(search.value.id.value).."' AS param, d2t."..escape(search.value.id.value).." AS value FROM devices_to_classes d2t WHERE d2t."..escape(search.value.id.value)..
+ escape(search.value.comparison.value).."'"..escape(search.value.value.value).."' GROUP BY device_id"
else
sql = sql.."g.name as group, p.name as param, CASE WHEN v.value IS NOT NULL THEN v.value WHEN g2p.value IS NOT NULL THEN g2p.value ELSE p.value END as value FROM "..
"devices_to_classes d2t JOIN provisioning_classes t USING(class_id) JOIN classes_to_param_groups t2g USING(class_id) "..
@@ -1670,7 +1670,7 @@ search_device_values = function(search)
else
sql = sql.."WHERE"
end
- sql = sql.." p.name='"..escape(param).."' AND CASE WHEN v.value IS NOT NULL THEN v.value WHEN g2p.value IS NOT NULL THEN g2p.value ELSE p.value END"..search.value.comparison.value.."'"..escape(search.value.value.value).."'"
+ sql = sql.." p.name='"..escape(param).."' AND CASE WHEN v.value IS NOT NULL THEN v.value WHEN g2p.value IS NOT NULL THEN g2p.value ELSE p.value END"..escape(search.value.comparison.value).."'"..escape(search.value.value.value).."'"
end
sql = sql.." ORDER BY d2t.device_id ASC"
search.value.result.value = getselectresponse(sql)
@@ -1837,15 +1837,15 @@ function dump_database(db)
sql = "SELECT label FROM devices_to_classes JOIN provisioning_classes USING(class_id) WHERE device_id='"..escape(d.device_id).."'"
tmp = getselectresponse(sql)
for j,t in ipairs(tmp) do
- lines[#lines+1] = "INSERT INTO devices_to_classes VALUES("..i..", (SELECT class_id FROM provisioning_classes WHERE label='"..escape(t.label).."'));"
+ lines[#lines+1] = "INSERT INTO devices_to_classes VALUES("..escape(i)..", (SELECT class_id FROM provisioning_classes WHERE label='"..escape(t.label).."'));"
end
sql = "SELECT group_name, p.name AS param, v.value FROM provisioning_values v JOIN provisioning_params p USING(param_id) WHERE device_id='"..escape(d.device_id).."'"
tmp = getselectresponse(sql)
for j,t in ipairs(tmp) do
- lines[#lines+1] = "INSERT INTO provisioning_values VALUES("..i..", '"..escape(t.group_name).."', (SELECT param_id FROM provisioning_params WHERE name='"..escape(t.param).."'), '"..t.value.."');"
+ lines[#lines+1] = "INSERT INTO provisioning_values VALUES("..escape(i)..", '"..escape(t.group_name).."', (SELECT param_id FROM provisioning_params WHERE name='"..escape(t.param).."'), '"..escape(t.value).."');"
end
end
- lines[#lines+1] = "SELECT pg_catalog.setval('provisioning_device_seq', "..#devices..", true);"
+ lines[#lines+1] = "SELECT pg_catalog.setval('provisioning_device_seq', "..escape(#devices)..", true);"
end
db.value.data = cfe({ type="longtext", value=table.concat(lines, "\n") or "", label="Database Values" })
if connected then databasedisconnect() end