[asterisk-commits] trunk - r7642 in /trunk: configs/func_odbc.conf.sample funcs/func_odbc.c

asterisk-commits at lists.digium.com asterisk-commits at lists.digium.com
Mon Dec 26 20:02:24 CST 2005 

Author: tilghman
Date: Mon Dec 26 20:02:23 2005
New Revision: 7642

URL: http://svn.digium.com/view/asterisk?rev=7642&view=rev
Log:
Add SQL_ESC to allow single ticks to be escaped

Modified:
    trunk/configs/func_odbc.conf.sample
    trunk/funcs/func_odbc.c

Modified: trunk/configs/func_odbc.conf.sample
URL: http://svn.digium.com/view/asterisk/trunk/configs/func_odbc.conf.sample?rev=7642&r1=7641&r2=7642&view=diff
==============================================================================
--- trunk/configs/func_odbc.conf.sample (original)
+++ trunk/configs/func_odbc.conf.sample Mon Dec 26 20:02:23 2005
@@ -12,6 +12,11 @@
 ; In addition, for write statements, you have ${VAL1}, ${VAL2} ... ${VALn}
 ; parsed, just like arguments, for the values.  In addition, if you want the
 ; whole value, never mind the parsing, you can get that with ${VALUE}.
+;
+;
+; If you have data which may potentially contain single ticks, you may wish
+; to use the dialplan function SQL_ESC() to escape the data prior to its
+; inclusion in the SQL statement.
 
 
 ; ODBC_SQL - Allow an SQL statement to be built entirely in the dialplan
@@ -22,11 +27,11 @@
 ; ODBC_ANTIGF - A blacklist.
 [ANTIGF]
 dsn=mysql1
-read=SELECT COUNT(*) FROM exgirlfriends WHERE callerid='${ARG1}'
+read=SELECT COUNT(*) FROM exgirlfriends WHERE callerid='${SQL_ESC(${ARG1})}'
 
 ; ODBC_PRESENCE - Retrieve and update presence
 [PRESENCE]
 dsn=mysql1
-read=SELECT location FROM presence WHERE id='${ARG1}'
-write=UPDATE presence SET location='${VAL1}' WHERE id='${ARG1}'
+read=SELECT location FROM presence WHERE id='${SQL_ESC(${ARG1})}'
+write=UPDATE presence SET location='${SQL_ESC(${VAL1})}' WHERE id='${SQL_ESC(${ARG1})}'
 

Modified: trunk/funcs/func_odbc.c
URL: http://svn.digium.com/view/asterisk/trunk/funcs/func_odbc.c?rev=7642&r1=7641&r2=7642&view=diff
==============================================================================
--- trunk/funcs/func_odbc.c (original)
+++ trunk/funcs/func_odbc.c Mon Dec 26 20:02:23 2005
@@ -350,6 +350,35 @@
 	SQLFreeHandle(SQL_HANDLE_STMT, stmt);
 	return buf;
 }
+
+static char *acf_escape(struct ast_channel *chan, char *cmd, char *data, char *buf, size_t len)
+{
+	char *in, *out = buf;
+	for (in = data; *in && out - buf < len; in++) {
+		if (*in == '\'') {
+			*out = '\'';
+			out++;
+		}
+		*out = *in;
+		out++;
+	}
+	*out = '\0';
+	return buf;
+}
+
+struct ast_custom_function escape_function = {
+	.name = "SQL_ESC",
+	.synopsis = "Escapes single ticks for use in SQL statements",
+	.syntax = "SQL_ESC(<string>)",
+	.desc =
+"Used in SQL templates to escape data which may contain single ticks (') which\n"
+"are otherwise used to delimit data.  For example:\n"
+"SELECT foo FROM bar WHERE baz='${SQL_ESC(${ARG1})}'\n",
+	.read = acf_escape,
+	.write = NULL,
+};
+
+
 
 static int init_acf_query(struct ast_config *cfg, char *catg, struct acf_odbc_query **query)
 {
@@ -477,6 +506,7 @@
 	}
 
 	ast_config_destroy(cfg);
+	ast_custom_function_register(&escape_function);
 out:
 	ast_mutex_unlock(&query_lock);
 	return res;
@@ -506,6 +536,8 @@
 	if (lastquery)
 		free(lastquery);
 	queries = NULL;
+
+	ast_custom_function_unregister(&escape_function);
 
 	ast_mutex_unlock(&query_lock);
 	return 0;

More information about the asterisk-commits mailing list