[PATCH] dlr_mysql.c needs to use mysql_escape_string() from mysql API
Stipe Tolj
st at tolj.org
Sat Aug 9 22:35:19 CEST 2008
Hi list,
we have a possible bug situation in the gw/dlr_mysql.c module, especially for
the dlr_mysql_add() function:
We perform an INSERT into the table space with the values provided in dlr_entry
struct. The field entry->source is the source address and if we used an
alphanumeric value here containing any SQL "administrative chars" (i.e. ') we
run into an mysql error. We need to ensure that all values passed from the
"outside" (via smsbox HTTP interface) to the SQL creation format is passed via
mysql's mysql_escape_string() function, ensuring such chars are escaped.
We had such a patch posted by:
From: Peter Christensen
Subject: Re: dlr_mysql_add and internal charset
Date: Tue, 10 Jan 2006 07:44:02 -0800
URL: http://www.mail-archive.com/devel@kannel.org/msg05381.html
but it was actually never applied. This is a re-write of Peter's patch, making a
dbpool_mysql_escape_string() wrapper function available in the
gwlib/dbpool_mysql.c and using it in gw/dlr_mysql.c.
Please review and vote for committing to CVS.
Stipe
-------------------------------------------------------------------
Kölner Landstrasse 419
40589 Düsseldorf, NRW, Germany
tolj.org system architecture Kannel Software Foundation (KSF)
http://www.tolj.org/ http://www.kannel.org/
mailto:st_{at}_tolj.org mailto:stolj_{at}_kannel.org
-------------------------------------------------------------------
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mysql_escape_string.diff
Url: http://www.kannel.org/pipermail/devel/attachments/20080809/da31da25/attachment.pl
More information about the devel
mailing list