summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTed Trask <ttrask01@yahoo.com>2013-05-25 02:13:54 +0000
committerTed Trask <ttrask01@yahoo.com>2013-05-25 02:13:54 +0000
commit4912561d5332a96bc1921ca3a76ba74f8d118306 (patch)
tree9bd7671c04a8fdd822fa2a28c8535be10cad70cd
parent0c25cb523206e49188e15388167be9b71fa1c692 (diff)
downloadacf-provisioning-4912561d5332a96bc1921ca3a76ba74f8d118306.tar.bz2
acf-provisioning-4912561d5332a96bc1921ca3a76ba74f8d118306.tar.xz
Added some more SQL escape calls just to be safe
Diffstat
-rw-r--r--provisioning-model.lua16
1 files changed, 8 insertions, 8 deletions
diff --git a/provisioning-model.lua b/provisioning-model.lua
index c4b718d..82ea33f 100644
--- a/provisioning-model.lua
+++ b/provisioning-model.lua
@@ -118,7 +118,7 @@ local databaseconnect = function()
-- Let's create all the tables from the start
for n,v in pairs(table_creation_scripts) do
if not string.match(n, "^_") then
- runsqlcommand("SELECT * FROM "..n.." LIMIT 1")
+ runsqlcommand("SELECT * FROM "..escape(n).." LIMIT 1")
end
end
end
@@ -993,7 +993,7 @@ update_group = function(self, group, action, create)
else
sql = sql.."null"
end
- sql = sql..", '"..tostring(reverseeditable[p] ~= nil).."')"
+ sql = sql..", '"..escape(tostring(reverseeditable[p] ~= nil)).."')"
runsqlcommand(sql, true)
end
@@ -1727,8 +1727,8 @@ search_device_values = function(self, search)
sql = "SELECT d2t.device_id, "
local group, param = string.match(search.value.id.value, "([^%.]*)%.(.*)")
if not group then
- sql = sql.."'"..search.value.id.value.."' AS param, d2t."..search.value.id.value.." AS value FROM devices_to_classes d2t WHERE d2t."..search.value.id.value..
- search.value.comparison.value.."'"..escape(search.value.value.value).."' GROUP BY device_id"
+ sql = sql.."'"..escape(search.value.id.value).."' AS param, d2t."..escape(search.value.id.value).." AS value FROM devices_to_classes d2t WHERE d2t."..escape(search.value.id.value)..
+ escape(search.value.comparison.value).."'"..escape(search.value.value.value).."' GROUP BY device_id"
else
sql = sql.."g.name as group, p.name as param, CASE WHEN v.value IS NOT NULL THEN v.value WHEN g2p.value IS NOT NULL THEN g2p.value ELSE p.value END as value FROM "..
"devices_to_classes d2t JOIN provisioning_classes t USING(class_id) JOIN classes_to_param_groups t2g USING(class_id) "..
@@ -1739,7 +1739,7 @@ search_device_values = function(self, search)
else
sql = sql.."WHERE"
end
- sql = sql.." p.name='"..escape(param).."' AND CASE WHEN v.value IS NOT NULL THEN v.value WHEN g2p.value IS NOT NULL THEN g2p.value ELSE p.value END"..search.value.comparison.value.."'"..escape(search.value.value.value).."'"
+ sql = sql.." p.name='"..escape(param).."' AND CASE WHEN v.value IS NOT NULL THEN v.value WHEN g2p.value IS NOT NULL THEN g2p.value ELSE p.value END"..escape(search.value.comparison.value).."'"..escape(search.value.value.value).."'"
end
sql = sql.." ORDER BY d2t.device_id ASC"
search.value.result.value = getselectresponse(sql)
@@ -1907,15 +1907,15 @@ function dump_database(self, db)
sql = "SELECT label FROM devices_to_classes JOIN provisioning_classes USING(class_id) WHERE device_id='"..escape(d.device_id).."'"
tmp = getselectresponse(sql)
for j,t in ipairs(tmp) do
- lines[#lines+1] = "INSERT INTO devices_to_classes VALUES("..i..", (SELECT class_id FROM provisioning_classes WHERE label='"..escape(t.label).."'));"
+ lines[#lines+1] = "INSERT INTO devices_to_classes VALUES("..escape(i)..", (SELECT class_id FROM provisioning_classes WHERE label='"..escape(t.label).."'));"
end
sql = "SELECT group_name, p.name AS param, v.value FROM provisioning_values v JOIN provisioning_params p USING(param_id) WHERE device_id='"..escape(d.device_id).."'"
tmp = getselectresponse(sql)
for j,t in ipairs(tmp) do
- lines[#lines+1] = "INSERT INTO provisioning_values VALUES("..i..", '"..escape(t.group_name).."', (SELECT param_id FROM provisioning_params WHERE name='"..escape(t.param).."'), '"..t.value.."');"
+ lines[#lines+1] = "INSERT INTO provisioning_values VALUES("..escape(i)..", '"..escape(t.group_name).."', (SELECT param_id FROM provisioning_params WHERE name='"..escape(t.param).."'), '"..escape(t.value).."');"
end
end
- lines[#lines+1] = "SELECT pg_catalog.setval('provisioning_device_seq', "..#devices..", true);"
+ lines[#lines+1] = "SELECT pg_catalog.setval('provisioning_device_seq', "..escape(#devices)..", true);"
end
db.value.data = cfe({ type="longtext", value=table.concat(lines, "\n") or "", label="Database Values" })
if connected then databasedisconnect() end
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 21:40:31 +0000