From 5f5a9710bf05842ed4370e30a68f2650755e55ae Mon Sep 17 00:00:00 2001 From: Nathan Neulinger Date: Wed, 12 Feb 2014 15:22:49 -0600 Subject: [PATCH] FS-6220 fix sql quoting of queries from mod_skinny --- src/mod/endpoints/mod_skinny/mod_skinny.c | 22 +++++++++--------- src/mod/endpoints/mod_skinny/skinny_server.c | 24 ++++++++++---------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/src/mod/endpoints/mod_skinny/mod_skinny.c b/src/mod/endpoints/mod_skinny/mod_skinny.c index eaba2fb215..ff17ea4b24 100644 --- a/src/mod/endpoints/mod_skinny/mod_skinny.c +++ b/src/mod/endpoints/mod_skinny/mod_skinny.c @@ -955,7 +955,7 @@ switch_status_t channel_on_hangup(switch_core_session_t *session) skinny_session_walk_lines(tech_pvt->profile, switch_core_session_get_uuid(session), channel_on_hangup_callback, &helper); if ((sql = switch_mprintf( - "DELETE FROM skinny_active_lines WHERE channel_uuid='%s'", + "DELETE FROM skinny_active_lines WHERE channel_uuid='%q'", switch_core_session_get_uuid(session) ))) { skinny_execute_sql(tech_pvt->profile, sql, tech_pvt->profile->sql_mutex); @@ -1405,7 +1405,7 @@ void skinny_clean_device_from_db(listener_t *listener, char *device_name) if ((sql = switch_mprintf( "DELETE FROM skinny_devices " - "WHERE name='%s'", + "WHERE name='%q'", device_name))) { skinny_execute_sql(profile, sql, profile->sql_mutex); switch_safe_free(sql); @@ -1413,7 +1413,7 @@ void skinny_clean_device_from_db(listener_t *listener, char *device_name) if ((sql = switch_mprintf( "DELETE FROM skinny_lines " - "WHERE device_name='%s'", + "WHERE device_name='%q'", device_name))) { skinny_execute_sql(profile, sql, profile->sql_mutex); switch_safe_free(sql); @@ -1421,7 +1421,7 @@ void skinny_clean_device_from_db(listener_t *listener, char *device_name) if ((sql = switch_mprintf( "DELETE FROM skinny_buttons " - "WHERE device_name='%s'", + "WHERE device_name='%q'", device_name))) { skinny_execute_sql(profile, sql, profile->sql_mutex); switch_safe_free(sql); @@ -1429,7 +1429,7 @@ void skinny_clean_device_from_db(listener_t *listener, char *device_name) if ((sql = switch_mprintf( "DELETE FROM skinny_active_lines " - "WHERE device_name='%s'", + "WHERE device_name='%q'", device_name))) { skinny_execute_sql(profile, sql, profile->sql_mutex); switch_safe_free(sql); @@ -1453,7 +1453,7 @@ void skinny_clean_listener_from_db(listener_t *listener) if ((sql = switch_mprintf( "DELETE FROM skinny_devices " - "WHERE name='%s' and instance=%d", + "WHERE name='%q' and instance=%d", listener->device_name, listener->device_instance))) { skinny_execute_sql(profile, sql, profile->sql_mutex); switch_safe_free(sql); @@ -1461,7 +1461,7 @@ void skinny_clean_listener_from_db(listener_t *listener) if ((sql = switch_mprintf( "DELETE FROM skinny_lines " - "WHERE device_name='%s' and device_instance=%d", + "WHERE device_name='%q' and device_instance=%d", listener->device_name, listener->device_instance))) { skinny_execute_sql(profile, sql, profile->sql_mutex); switch_safe_free(sql); @@ -1469,7 +1469,7 @@ void skinny_clean_listener_from_db(listener_t *listener) if ((sql = switch_mprintf( "DELETE FROM skinny_buttons " - "WHERE device_name='%s' and device_instance=%d", + "WHERE device_name='%q' and device_instance=%d", listener->device_name, listener->device_instance))) { skinny_execute_sql(profile, sql, profile->sql_mutex); switch_safe_free(sql); @@ -1477,7 +1477,7 @@ void skinny_clean_listener_from_db(listener_t *listener) if ((sql = switch_mprintf( "DELETE FROM skinny_active_lines " - "WHERE device_name='%s' and device_instance=%d", + "WHERE device_name='%q' and device_instance=%d", listener->device_name, listener->device_instance))) { skinny_execute_sql(profile, sql, profile->sql_mutex); switch_safe_free(sql); @@ -2267,8 +2267,8 @@ static void skinny_call_state_event_handler(switch_event_t *event) if ((sql = switch_mprintf( "UPDATE skinny_active_lines " "SET call_state=%d " - "WHERE device_name='%s' AND device_instance=%d " - "AND %s AND %s", + "WHERE device_name='%q' AND device_instance=%d " + "AND %q AND %q", call_state, listener->device_name, listener->device_instance, line_instance_condition, call_id_condition diff --git a/src/mod/endpoints/mod_skinny/skinny_server.c b/src/mod/endpoints/mod_skinny/skinny_server.c index 6d53e9ee9c..f791699ad3 100644 --- a/src/mod/endpoints/mod_skinny/skinny_server.c +++ b/src/mod/endpoints/mod_skinny/skinny_server.c @@ -163,9 +163,9 @@ switch_status_t skinny_create_incoming_session(listener_t *listener, uint32_t *l if ((sql = switch_mprintf( "INSERT INTO skinny_active_lines " "(device_name, device_instance, line_instance, channel_uuid, call_id, call_state) " - "SELECT device_name, device_instance, line_instance, '%s', %d, %d " + "SELECT device_name, device_instance, line_instance, '%q', %d, %d " "FROM skinny_lines " - "WHERE value='%s'", + "WHERE value='%q'", switch_core_session_get_uuid(nsession), tech_pvt->call_id, SKINNY_ON_HOOK, button->shortname ))) { skinny_execute_sql(listener->profile, sql, listener->profile->sql_mutex); @@ -1070,7 +1070,7 @@ switch_status_t skinny_handle_register(listener_t *listener, skinny_message_t *r if ((sql = switch_mprintf( "INSERT INTO skinny_devices " "(name, user_id, instance, ip, type, max_streams, codec_string) " - "VALUES ('%s','%d','%d', '%s', '%d', '%d', '%s')", + "VALUES ('%q','%d','%d', '%q', '%d', '%d', '%q')", request->data.reg.device_name, request->data.reg.user_id, request->data.reg.instance, @@ -1148,7 +1148,7 @@ switch_status_t skinny_handle_register(listener_t *listener, skinny_message_t *r "label, value, caller_name, " "ring_on_idle, ring_on_active, busy_trigger, " "forward_all, forward_busy, forward_noanswer, noanswer_duration) " - "VALUES('%s', %d, %d, %d, '%s', '%s', '%s', %d, %d, %d, '%s', '%s', '%s', %d)", + "VALUES('%q', %d, %d, %d, '%q', '%q', '%q', %d, %d, %d, '%q', '%q', '%q', %d)", request->data.reg.device_name, request->data.reg.instance, position, line_instance, label, value, caller_name, ring_on_idle, ring_on_active, busy_trigger, @@ -1176,7 +1176,7 @@ switch_status_t skinny_handle_register(listener_t *listener, skinny_message_t *r if ((sql = switch_mprintf( "INSERT INTO skinny_buttons " "(device_name, device_instance, position, type, label, value, settings) " - "VALUES('%s', %d, %d, %d, '%s', '%s', '%s')", + "VALUES('%q', %d, %d, %d, '%q', '%q', '%q')", request->data.reg.device_name, request->data.reg.instance, position, @@ -1230,7 +1230,7 @@ switch_status_t skinny_handle_port_message(listener_t *listener, skinny_message_ skinny_check_data_length(request, sizeof(request->data.as_uint16)); if ((sql = switch_mprintf( - "UPDATE skinny_devices SET port=%d WHERE name='%s' and instance=%d", + "UPDATE skinny_devices SET port=%d WHERE name='%q' and instance=%d", request->data.port.port, listener->device_name, listener->device_instance @@ -1775,7 +1775,7 @@ switch_status_t skinny_handle_capabilities_response(listener_t *listener, skinny } codec_string[string_len] = '\0'; if ((sql = switch_mprintf( - "UPDATE skinny_devices SET codec_string='%s' WHERE name='%s'", + "UPDATE skinny_devices SET codec_string='%q' WHERE name='%s'", codec_string, listener->device_name ))) { @@ -2101,7 +2101,7 @@ switch_status_t skinny_headset_status_message(listener_t *listener, skinny_messa skinny_check_data_length(request, sizeof(request->data.headset_status)); if ((sql = switch_mprintf( - "UPDATE skinny_devices SET headset=%d WHERE name='%s' and instance=%d", + "UPDATE skinny_devices SET headset=%d WHERE name='%q' and instance=%d", (request->data.headset_status.mode==1) ? SKINNY_ACCESSORY_STATE_OFFHOOK : SKINNY_ACCESSORY_STATE_ONHOOK, listener->device_name, listener->device_instance @@ -2263,7 +2263,7 @@ switch_status_t skinny_handle_accessory_status_message(listener_t *listener, ski switch(request->data.accessory_status.accessory_id) { case SKINNY_ACCESSORY_HEADSET: if ((sql = switch_mprintf( - "UPDATE skinny_devices SET headset=%d WHERE name='%s' and instance=%d", + "UPDATE skinny_devices SET headset=%d WHERE name='%q' and instance=%d", request->data.accessory_status.accessory_status, listener->device_name, listener->device_instance @@ -2274,7 +2274,7 @@ switch_status_t skinny_handle_accessory_status_message(listener_t *listener, ski break; case SKINNY_ACCESSORY_HANDSET: if ((sql = switch_mprintf( - "UPDATE skinny_devices SET handset=%d WHERE name='%s' and instance=%d", + "UPDATE skinny_devices SET handset=%d WHERE name='%q' and instance=%d", request->data.accessory_status.accessory_status, listener->device_name, listener->device_instance @@ -2285,7 +2285,7 @@ switch_status_t skinny_handle_accessory_status_message(listener_t *listener, ski break; case SKINNY_ACCESSORY_SPEAKER: if ((sql = switch_mprintf( - "UPDATE skinny_devices SET speaker=%d WHERE name='%s' and instance=%d", + "UPDATE skinny_devices SET speaker=%d WHERE name='%q' and instance=%d", request->data.accessory_status.accessory_status, listener->device_name, listener->device_instance @@ -2347,7 +2347,7 @@ switch_status_t skinny_handle_updatecapabilities(listener_t *listener, skinny_me } codec_string[string_len] = '\0'; if ((sql = switch_mprintf( - "UPDATE skinny_devices SET codec_string='%s' WHERE name='%s'", + "UPDATE skinny_devices SET codec_string='%q' WHERE name='%q'", codec_string, listener->device_name ))) {