From c12493b76531de8199f33a2a34238f7def8b194b Mon Sep 17 00:00:00 2001
From: tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b>
Date: Tue, 27 Dec 2005 02:02:23 +0000
Subject: Add SQL_ESC to allow single ticks to be escaped

git-svn-id: http://svn.digium.com/svn/asterisk/trunk@7642 f38db490-d61c-443f-a65b-d21fe96a405b
---
 configs/func_odbc.conf.sample | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'configs/func_odbc.conf.sample')

diff --git a/configs/func_odbc.conf.sample b/configs/func_odbc.conf.sample
index 0c4a01517..bcf769e37 100644
--- a/configs/func_odbc.conf.sample
+++ b/configs/func_odbc.conf.sample
@@ -12,6 +12,11 @@
 ; In addition, for write statements, you have ${VAL1}, ${VAL2} ... ${VALn}
 ; parsed, just like arguments, for the values.  In addition, if you want the
 ; whole value, never mind the parsing, you can get that with ${VALUE}.
+;
+;
+; If you have data which may potentially contain single ticks, you may wish
+; to use the dialplan function SQL_ESC() to escape the data prior to its
+; inclusion in the SQL statement.
 
 
 ; ODBC_SQL - Allow an SQL statement to be built entirely in the dialplan
@@ -22,11 +27,11 @@ read=${ARG1}
 ; ODBC_ANTIGF - A blacklist.
 [ANTIGF]
 dsn=mysql1
-read=SELECT COUNT(*) FROM exgirlfriends WHERE callerid='${ARG1}'
+read=SELECT COUNT(*) FROM exgirlfriends WHERE callerid='${SQL_ESC(${ARG1})}'
 
 ; ODBC_PRESENCE - Retrieve and update presence
 [PRESENCE]
 dsn=mysql1
-read=SELECT location FROM presence WHERE id='${ARG1}'
-write=UPDATE presence SET location='${VAL1}' WHERE id='${ARG1}'
+read=SELECT location FROM presence WHERE id='${SQL_ESC(${ARG1})}'
+write=UPDATE presence SET location='${SQL_ESC(${VAL1})}' WHERE id='${SQL_ESC(${ARG1})}'
 
-- 
cgit v1.2.3