diff options
| author | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2005-12-27 02:02:23 +0000 |
|---|---|---|
| committer | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2005-12-27 02:02:23 +0000 |
| commit | c12493b76531de8199f33a2a34238f7def8b194b (patch) | |
| tree | 78695566ff2240d3c05e57ce0387b21898da632d | |
| parent | e0618cf82a07fc7020f3d9b348fde91e9672feeb (diff) | |
Add SQL_ESC to allow single ticks to be escaped
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@7642 f38db490-d61c-443f-a65b-d21fe96a405b
| -rw-r--r-- | configs/func_odbc.conf.sample | 11 | ||||
| -rw-r--r-- | funcs/func_odbc.c | 32 |
2 files changed, 40 insertions, 3 deletions
diff --git a/configs/func_odbc.conf.sample b/configs/func_odbc.conf.sample index 0c4a01517..bcf769e37 100644 --- a/configs/func_odbc.conf.sample +++ b/configs/func_odbc.conf.sample @@ -12,6 +12,11 @@ ; In addition, for write statements, you have ${VAL1}, ${VAL2} ... ${VALn} ; parsed, just like arguments, for the values. In addition, if you want the ; whole value, never mind the parsing, you can get that with ${VALUE}. +; +; +; If you have data which may potentially contain single ticks, you may wish +; to use the dialplan function SQL_ESC() to escape the data prior to its +; inclusion in the SQL statement. ; ODBC_SQL - Allow an SQL statement to be built entirely in the dialplan @@ -22,11 +27,11 @@ read=${ARG1} ; ODBC_ANTIGF - A blacklist. [ANTIGF] dsn=mysql1 -read=SELECT COUNT(*) FROM exgirlfriends WHERE callerid='${ARG1}' +read=SELECT COUNT(*) FROM exgirlfriends WHERE callerid='${SQL_ESC(${ARG1})}' ; ODBC_PRESENCE - Retrieve and update presence [PRESENCE] dsn=mysql1 -read=SELECT location FROM presence WHERE id='${ARG1}' -write=UPDATE presence SET location='${VAL1}' WHERE id='${ARG1}' +read=SELECT location FROM presence WHERE id='${SQL_ESC(${ARG1})}' +write=UPDATE presence SET location='${SQL_ESC(${VAL1})}' WHERE id='${SQL_ESC(${ARG1})}' diff --git a/funcs/func_odbc.c b/funcs/func_odbc.c index 770ac8092..496933ef0 100644 --- a/funcs/func_odbc.c +++ b/funcs/func_odbc.c @@ -351,6 +351,35 @@ acf_out: return buf; } +static char *acf_escape(struct ast_channel *chan, char *cmd, char *data, char *buf, size_t len) +{ + char *in, *out = buf; + for (in = data; *in && out - buf < len; in++) { + if (*in == '\'') { + *out = '\''; + out++; + } + *out = *in; + out++; + } + *out = '\0'; + return buf; +} + +struct ast_custom_function escape_function = { + .name = "SQL_ESC", + .synopsis = "Escapes single ticks for use in SQL statements", + .syntax = "SQL_ESC(<string>)", + .desc = +"Used in SQL templates to escape data which may contain single ticks (') which\n" +"are otherwise used to delimit data. For example:\n" +"SELECT foo FROM bar WHERE baz='${SQL_ESC(${ARG1})}'\n", + .read = acf_escape, + .write = NULL, +}; + + + static int init_acf_query(struct ast_config *cfg, char *catg, struct acf_odbc_query **query) { char *tmp; @@ -477,6 +506,7 @@ static int odbc_load_module(void) } ast_config_destroy(cfg); + ast_custom_function_register(&escape_function); out: ast_mutex_unlock(&query_lock); return res; @@ -507,6 +537,8 @@ static int odbc_unload_module(void) free(lastquery); queries = NULL; + ast_custom_function_unregister(&escape_function); + ast_mutex_unlock(&query_lock); return 0; } |