From be5d7cfa825f284c9f830d5d0a5cb85c3851fd58 Mon Sep 17 00:00:00 2001 From: tilghman Date: Wed, 4 May 2011 00:13:23 +0000 Subject: Merged revisions 316429 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.8 ........ r316429 | tilghman | 2011-05-03 19:12:25 -0500 (Tue, 03 May 2011) | 7 lines Escape column names in case they contain illegal characters ('-') or reserved words. (closes issue #19063) Reported by: festr Patches: patch uploaded by festr (license 443) ........ git-svn-id: http://svn.digium.com/svn/asterisk/trunk@316430 f38db490-d61c-443f-a65b-d21fe96a405b --- addons/cdr_mysql.c | 2 +- addons/res_config_mysql.c | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/addons/cdr_mysql.c b/addons/cdr_mysql.c index 167a5af58..60abae2d9 100644 --- a/addons/cdr_mysql.c +++ b/addons/cdr_mysql.c @@ -325,7 +325,7 @@ db_reconnect: ast_str_make_space(&escape, (valsz = strlen(value)) * 2 + 1); mysql_real_escape_string(&mysql, ast_str_buffer(escape), value, valsz); - ast_str_append(&sql1, 0, "%s", entry->name); + ast_str_append(&sql1, 0, "`%s`", entry->name); ast_str_append(&sql2, 0, "'%s'", ast_str_buffer(escape)); } } diff --git a/addons/res_config_mysql.c b/addons/res_config_mysql.c index 217664709..50047008d 100644 --- a/addons/res_config_mysql.c +++ b/addons/res_config_mysql.c @@ -608,7 +608,7 @@ static int update_mysql(const char *database, const char *tablename, const char If there is only 1 set, then we have our query. Otherwise, loop thru the list and concat */ ESCAPE_STRING(buf, newval); - ast_str_set(&sql, 0, "UPDATE %s SET %s = '%s'", tablename, newparam, ast_str_buffer(buf)); + ast_str_set(&sql, 0, "UPDATE %s SET `%s` = '%s'", tablename, newparam, ast_str_buffer(buf)); /* If the column length isn't long enough, give a chance to lengthen it. */ if (strncmp(column->type, "char", 4) == 0 || strncmp(column->type, "varchar", 7) == 0) { @@ -625,7 +625,7 @@ static int update_mysql(const char *database, const char *tablename, const char } ESCAPE_STRING(buf, newval); - ast_str_append(&sql, 0, ", %s = '%s'", newparam, ast_str_buffer(buf)); + ast_str_append(&sql, 0, ", `%s` = '%s'", newparam, ast_str_buffer(buf)); /* If the column length isn't long enough, give a chance to lengthen it. */ if (strncmp(column->type, "char", 4) == 0 || strncmp(column->type, "varchar", 7) == 0) { @@ -635,7 +635,7 @@ static int update_mysql(const char *database, const char *tablename, const char va_end(ap); ESCAPE_STRING(buf, lookup); - ast_str_append(&sql, 0, " WHERE %s = '%s'", keyfield, ast_str_buffer(buf)); + ast_str_append(&sql, 0, " WHERE `%s` = '%s'", keyfield, ast_str_buffer(buf)); ast_debug(1, "MySQL RealTime: Update SQL: %s\n", ast_str_buffer(sql)); @@ -719,7 +719,7 @@ static int update2_mysql(const char *database, const char *tablename, va_list ap return -1; } ESCAPE_STRING(buf, newval); - ast_str_append(&where, 0, "%s %s='%s'", first ? "" : " AND", newparam, ast_str_buffer(buf)); + ast_str_append(&where, 0, "%s `%s` = '%s'", first ? "" : " AND", newparam, ast_str_buffer(buf)); first = 0; /* If the column length isn't long enough, give a chance to lengthen it. */ @@ -744,7 +744,7 @@ static int update2_mysql(const char *database, const char *tablename, va_list ap } ESCAPE_STRING(buf, newval); - ast_str_append(&sql, 0, "%s %s = '%s'", first ? "" : ",", newparam, ast_str_buffer(buf)); + ast_str_append(&sql, 0, "%s `%s` = '%s'", first ? "" : ",", newparam, ast_str_buffer(buf)); first = 0; /* If the column length isn't long enough, give a chance to lengthen it. */ @@ -816,7 +816,7 @@ static int store_mysql(const char *database, const char *table, va_list ap) /* Create the first part of the query using the first parameter/value pairs we just extracted If there is only 1 set, then we have our query. Otherwise, loop thru the list and concat */ ESCAPE_STRING(buf, newval); - ast_str_set(&sql, 0, "INSERT INTO %s (%s", table, newparam); + ast_str_set(&sql, 0, "INSERT INTO %s (`%s`", table, newparam); ast_str_set(&sql2, 0, ") VALUES ('%s'", ast_str_buffer(buf)); internal_require(database, table, newparam, RQ_CHAR, ast_str_strlen(buf), SENTINEL); @@ -828,7 +828,7 @@ static int store_mysql(const char *database, const char *table, va_list ap) ast_str_reset(buf); } if (internal_require(database, table, newparam, RQ_CHAR, ast_str_strlen(buf), SENTINEL) == 0) { - ast_str_append(&sql, 0, ", %s", newparam); + ast_str_append(&sql, 0, ", `%s`", newparam); ast_str_append(&sql2, 0, ", '%s'", ast_str_buffer(buf)); } } @@ -894,11 +894,11 @@ static int destroy_mysql(const char *database, const char *table, const char *ke /* Create the first part of the query using the first parameter/value pairs we just extracted If there is only 1 set, then we have our query. Otherwise, loop thru the list and concat */ ESCAPE_STRING(buf, lookup); - ast_str_set(&sql, 0, "DELETE FROM %s WHERE %s = '%s'", table, keyfield, ast_str_buffer(buf)); + ast_str_set(&sql, 0, "DELETE FROM %s WHERE `%s` = '%s'", table, keyfield, ast_str_buffer(buf)); while ((newparam = va_arg(ap, const char *))) { newval = va_arg(ap, const char *); ESCAPE_STRING(buf, newval); - ast_str_append(&sql, 0, " AND %s = '%s'", newparam, ast_str_buffer(buf)); + ast_str_append(&sql, 0, " AND `%s` = '%s'", newparam, ast_str_buffer(buf)); } va_end(ap); @@ -1074,7 +1074,7 @@ static int modify_mysql(const char *database, const char *tablename, struct colu res = -1; break; } - ast_str_set(&sql, 0, "ALTER TABLE %s MODIFY %s %s", tablename, column->name, ast_str_buffer(typestr)); + ast_str_set(&sql, 0, "ALTER TABLE %s MODIFY `%s` %s", tablename, column->name, ast_str_buffer(typestr)); if (!column->null) { ast_str_append(&sql, 0, " NOT NULL"); } -- cgit v1.2.3