From ec7b126eb263c8c95f345b52f566e39c8c6c6d4e Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Tue, 3 Jan 2012 16:30:30 +0000
Subject: Fixed escape function to not escape \

---
 provisioning-model.lua | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/provisioning-model.lua b/provisioning-model.lua
index 7b1a0d5..3ea8a3b 100644
--- a/provisioning-model.lua
+++ b/provisioning-model.lua
@@ -32,10 +32,6 @@ local table_creation_scripts = require("provisioning/provisioning-scripts")
 
 -- ################################################################################
 -- LOCAL FUNCTIONS
-local function escape_quotes(str)
-	return string.gsub(str or "", "'", "'\\''")
-end
-
 local function assert (v, m)
 	if not v then
 		m = m or "Assertion failed!"
@@ -47,8 +43,7 @@ end
 -- Escape special characters in sql statements
 local escape = function(sql)
 	sql = sql or ""
-	sql = string.gsub(sql, "'", "''")
-	return string.gsub(sql, "\\", "\\\\")
+	return string.gsub(sql, "'", "''")
 end
 
 local createdatabase = function()
@@ -670,7 +665,7 @@ get_class = function(class_id)
 				end
 			end
 			-- Now, get the class-to-paramgroup mappings
-			sql = "SELECT group_id FROM classes_to_param_groups WHERE class_id="..escape(class_id)
+			sql = "SELECT group_id FROM classes_to_param_groups WHERE class_id='"..escape(class_id).."'"
 			tmp = getselectresponse(sql)
 			for i,g in ipairs(tmp) do
 				groups[g.group_id] = true
@@ -868,7 +863,7 @@ get_group = function(group_id)
 				end
 			end
 			-- Now, get the paramgroup-to-param mappings
-			sql = "SELECT * FROM param_groups_to_params WHERE group_id="..escape(group_id)
+			sql = "SELECT * FROM param_groups_to_params WHERE group_id='"..escape(group_id).."'"
 			tmp = getselectresponse(sql)
 			for i,p in ipairs(tmp) do
 				retval.params.value[#retval.params.value + 1] = p.param_id
@@ -1215,7 +1210,7 @@ get_device = function(device_id)
 		local connected = databaseconnect()
 		if device_id and device_id ~= "" then
 			-- Get the device-to-class mappings
-			local sql = "SELECT class_id FROM devices_to_classes WHERE device_id="..escape(device_id)
+			local sql = "SELECT class_id FROM devices_to_classes WHERE device_id='"..escape(device_id).."'"
 			local tmp = getselectresponse(sql)
 			for i,g in ipairs(tmp) do
 				classes[g.class_id] = true
@@ -1839,12 +1834,12 @@ function dump_database(db)
 			sql = "SELECT device_id FROM devices_to_classes GROUP BY device_id ORDER BY device_id ASC"
 			devices = getselectresponse(sql)
 			for i,d in ipairs(devices) do
-				sql = "SELECT label FROM devices_to_classes JOIN provisioning_classes USING(class_id) WHERE device_id="..escape(d.device_id)
+				sql = "SELECT label FROM devices_to_classes JOIN provisioning_classes USING(class_id) WHERE device_id='"..escape(d.device_id).."'"
 				tmp = getselectresponse(sql)
 				for j,t in ipairs(tmp) do
 					lines[#lines+1] = "INSERT INTO devices_to_classes VALUES("..i..", (SELECT class_id FROM provisioning_classes WHERE label='"..escape(t.label).."'));"
 				end
-				sql = "SELECT group_name, p.name AS param, v.value FROM provisioning_values v JOIN provisioning_params p USING(param_id) WHERE device_id="..escape(d.device_id)
+				sql = "SELECT group_name, p.name AS param, v.value FROM provisioning_values v JOIN provisioning_params p USING(param_id) WHERE device_id='"..escape(d.device_id).."'"
 				tmp = getselectresponse(sql)
 				for j,t in ipairs(tmp) do
 					lines[#lines+1] = "INSERT INTO provisioning_values VALUES("..i..", '"..escape(t.group_name).."', (SELECT param_id FROM provisioning_params WHERE name='"..escape(t.param).."'), '"..t.value.."');"
-- 
cgit v1.2.3