definitively ++1

Vincent.


Stipe Tolj a écrit :
Hi list,

we have a possible bug situation in the gw/dlr_mysql.c module, especially for the dlr_mysql_add() function:

We perform an INSERT into the table space with the values provided in dlr_entry struct. The field entry->source is the source address and if we used an alphanumeric value here containing any SQL "administrative chars" (i.e. ') we run into an mysql error. We need to ensure that all values passed from the "outside" (via smsbox HTTP interface) to the SQL creation format is passed via mysql's mysql_escape_string() function, ensuring such chars are escaped.

We had such a patch posted by:

  From: Peter Christensen
  Subject: Re: dlr_mysql_add and internal charset
  Date: Tue, 10 Jan 2006 07:44:02 -0800
  URL: http://www.mail-archive.com/[email protected]/msg05381.html

but it was actually never applied. This is a re-write of Peter's patch, making a dbpool_mysql_escape_string() wrapper function available in the gwlib/dbpool_mysql.c and using it in gw/dlr_mysql.c.

Please review and vote for committing to CVS.

Stipe

-------------------------------------------------------------------
Kölner Landstrasse 419
40589 Düsseldorf, NRW, Germany

tolj.org system architecture      Kannel Software Foundation (KSF)
http://www.tolj.org/              http://www.kannel.org/

mailto:st_{at}_tolj.org           mailto:stolj_{at}_kannel.org
-------------------------------------------------------------------


--
Telemaque - 06560 SOPHIA-ANTIPOLIS - (FR)
Service Technique/Reseau - NOC
Direction du Developpement xMS+
http://www.telemaque.fr/
[EMAIL PROTECTED]
Tel : +33 4 92 90 99 84 (fax 9142)


Reply via email to