Even though: Looking at the sources: There might be a better option. I overlooked something in the function static Octstr *get_string_value_or_return_null(Octstr *str). It does a octstr_replace where it really had to had the same on a copy on that string. The copy is destroyed later in mysql_save_msg. Let me come up with a better patch later, okay?
This later patch needs to be applied to the following files: - sqlbox_mysql.c - sqlbox_mssql.c - sqlbox_oracle.c - sqlbox_pgsql.c - sqlbox_sdb.c - sqlbox_sqllite.c - sqlbox_sqsllite3.c? == Rene -----Original Message----- From: Alejandro Guerrieri [mailto:[email protected]] Sent: zaterdag 12 juni 2010 19:04 To: Rene Kluwen Cc: Tomasz; Kannel Devel Subject: Re: [PATCH] RE: Messages with php stripslashes Ok, got it :) Seems like it's working then. I'll make a couple of tests myself and commit it to SVN then. Regards, -- Alejandro Guerrieri [email protected] On 12/06/2010, at 16:39, Rene Kluwen wrote: > msg_duplicate is the normal function from msg.h. No special meaning. > > What happens is that gw_sql_save has a side effect. It escapes all text > strings with a backslash before the "'" sign because it displays them in the > INSERT INTO... statement in the database. > When I designed the function I was under the impression that it escaped the > strings in a copy... But apparently it doesn't. > > What happens in the "old" version is that gw_sql_save_msg escapes the > strings inline and later it does a "send_msg(conn->smsbox_connection, conn, > msg)" with the same message... which has a backslash in front of the "'". > > By duplicating the message before calling the gw_sql_save_msg, this behavior > is eliminated. > > Someone on the mailinglist (Tomasz) has already confirmed that the problem > has been solved with this patch. > > == Rene > > > > -----Original Message----- > From: Alejandro Guerrieri [mailto:[email protected]] > Sent: vrijdag 11 juni 2010 23:52 > To: Rene Kluwen > Cc: 'Tomasz'; 'Kannel list'; [email protected] > Subject: Re: [PATCH] RE: Messages with php stripslashes > > + msg_escaped = msg_duplicate(msg); > if (msg->sms.sms_type != report_mo) > - gw_sql_save_msg(msg, octstr_imm("MO")); > + gw_sql_save_msg(msg_escaped, octstr_imm("MO")); > else > - gw_sql_save_msg(msg, octstr_imm("DLR")); > + gw_sql_save_msg(msg_escaped, octstr_imm("DLR")); > + msg_destroy(msg_escaped); > > and > > - gw_sql_save_msg(msg, octstr_imm("MT")); > + msg_escaped = msg_duplicate(msg); > + gw_sql_save_msg(msg_escaped, octstr_imm("MT")); > + msg_destroy(msg_escaped); > > (and other similar lines) > > You're duplicating the msg to msg_escaped and then running the same > gw_sql_save_msg function? What difference does it make? > > Or maybe msg_duplicate does some escaping magic I'm not aware of? If > msg_duplicate does what the name says, I don't see what's changed. > > Regards, > > Alex > -- > Alejandro Guerrieri > [email protected] > > > > On 11/06/2010, at 23:25, Rene Kluwen wrote: > >> Sorry for crossposting. But I think the users are allowed to know what is >> going on, even if this is a developers matter. >> >> I think I found the solution to the problem below, which affects all >> smsbox->sqlbox->bearerbox users. >> >> I must admit: Haven't tested it yet. But it should work. >> >> See attached patch. Votes? >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Tomasz >> Sent: vrijdag 11 juni 2010 15:10 >> To: Kannel list >> Subject: Re: Messages with php stripslashes >> >> Hi, >> >> I've got the same issue - when we send MT message by CGI which >> contains ' sign, the recipient gets \' (escaped '). When we inject MT >> directly to MySQL Database, recipient get only ' sing (valid!). >> >> Our configuration is: >> >> PHP MT PUSH - SMSBOX - SQLBOX - BEARERBOX - SMSC >> >> The problem is caused probably by SQLBOX - somewhere there must be >> some kind of addslashes function. Escaped sign is being delivered to >> BEARERBOX. I've tried to find this is source code but I was unable. >> >> Have someone fixed this problem yet? >> >> Thanks >> Tomasz >> >> W Twoim liście datowanym 24 maja 2010 (02:05:22) można przeczytać: >> >>> I have posted some weeks ago a similar issue with sqlbox but it is not >>> resolved for the moment, Alejandro to check on his side to reproduce the >>> issue. >> >>> Check my post in the mailling list archive to see if it the same problem: >> >>> Object: *Quote and backslash issue* >> >>> As you when using CGI interface to send a SMS I got the quote escaped on >> the >>> mobile, BUT when using directly SQL injection on sqlbox it works >> correctly. >> >>> Regards, >> >>> Emmanuel >> >> >> >> <sql-escape.patch> > > >
