[PATCH] dlr_mysql.c needs to use mysql_escape_string() from mysql API

Stipe Tolj st at tolj.org
Sat Aug 9 22:35:19 CEST 2008


Hi list,

we have a possible bug situation in the gw/dlr_mysql.c module, especially for 
the dlr_mysql_add() function:

We perform an INSERT into the table space with the values provided in dlr_entry 
struct. The field entry->source is the source address and if we used an 
alphanumeric value here containing any SQL "administrative chars" (i.e. ') we 
run into an mysql error. We need to ensure that all values passed from the 
"outside" (via smsbox HTTP interface) to the SQL creation format is passed via 
mysql's mysql_escape_string() function, ensuring such chars are escaped.

We had such a patch posted by:

   From: Peter Christensen
   Subject: Re: dlr_mysql_add and internal charset
   Date: Tue, 10 Jan 2006 07:44:02 -0800
   URL: http://www.mail-archive.com/devel@kannel.org/msg05381.html

but it was actually never applied. This is a re-write of Peter's patch, making a 
dbpool_mysql_escape_string() wrapper function available in the 
gwlib/dbpool_mysql.c and using it in gw/dlr_mysql.c.

Please review and vote for committing to CVS.

Stipe

-------------------------------------------------------------------
Kölner Landstrasse 419
40589 Düsseldorf, NRW, Germany

tolj.org system architecture      Kannel Software Foundation (KSF)
http://www.tolj.org/              http://www.kannel.org/

mailto:st_{at}_tolj.org           mailto:stolj_{at}_kannel.org
-------------------------------------------------------------------
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mysql_escape_string.diff
Url: http://www.kannel.org/pipermail/devel/attachments/20080809/da31da25/attachment.pl 


More information about the devel mailing list