Module: sems Branch: master Commit: ec5de375469d52decf8abd8071ff4d4cd69e2b25 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sems/?a=commit;h=ec5de375469d52decf8abd8071ff4d4cd69e2b25
Author: Stefan Sayer <[email protected]> Committer: Stefan Sayer <[email protected]> Date: Thu Sep 15 12:55:14 2011 +0200 DSM: mod_mysql: add mysql.escape function escaping SQL strings helps to protect from injection attacks when data is taken directly from SIP message (e.g. @user in mysql.execute(...)) --- apps/dsm/mods/mod_mysql/ModMysql.cpp | 25 ++++++++++++++++++++++++- apps/dsm/mods/mod_mysql/ModMysql.h | 1 + doc/dsm/mods/Readme.mod_mysql.txt | 12 +++++++++++- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/apps/dsm/mods/mod_mysql/ModMysql.cpp b/apps/dsm/mods/mod_mysql/ModMysql.cpp index 6bec11d..22be34a 100644 --- a/apps/dsm/mods/mod_mysql/ModMysql.cpp +++ b/apps/dsm/mods/mod_mysql/ModMysql.cpp @@ -63,7 +63,7 @@ DSMAction* SCMysqlModule::getAction(const string& from_str) { DEF_CMD("mysql.playDBAudio", SCMyPlayDBAudioAction); DEF_CMD("mysql.getFileFromDB", SCMyGetFileFromDBAction); DEF_CMD("mysql.putFileToDB", SCMyPutFileToDBAction); - + DEF_CMD("mysql.escape", SCMyEscapeAction); return NULL; } @@ -608,3 +608,26 @@ EXEC_ACTION_START(SCMyPutFileToDBAction) { sc_sess->var["db.ereason"] = e.what(); } } EXEC_ACTION_END; + +CONST_ACTION_2P(SCMyEscapeAction, '=', false); +EXEC_ACTION_START(SCMyEscapeAction) { + mysqlpp::Connection* conn = + getMyDSMSessionConnection(sc_sess); + + if (NULL == conn) + return false; + + mysqlpp::Query query = conn->query(); + + string val = resolveVars(par2, sess, sc_sess, event_params); + + string dstvar = par1; + if (dstvar.size() && dstvar[0] == '$') { + dstvar = dstvar.substr(1); + } + string res; + query.escape_string(&res, val.c_str(), val.length()); + sc_sess->var[dstvar] = res; + DBG("escaped: $%s = escape(%s) = %s\n", + dstvar.c_str(), val.c_str(), res.c_str()); +} EXEC_ACTION_END; diff --git a/apps/dsm/mods/mod_mysql/ModMysql.h b/apps/dsm/mods/mod_mysql/ModMysql.h index 1c7e5d7..3bec513 100644 --- a/apps/dsm/mods/mod_mysql/ModMysql.h +++ b/apps/dsm/mods/mod_mysql/ModMysql.h @@ -90,5 +90,6 @@ DEF_ACTION_1P(SCMyUseResultAction); DEF_ACTION_2P(SCMyPlayDBAudioAction); DEF_ACTION_2P(SCMyGetFileFromDBAction); DEF_ACTION_2P(SCMyPutFileToDBAction); +DEF_ACTION_2P(SCMyEscapeAction); #endif diff --git a/doc/dsm/mods/Readme.mod_mysql.txt b/doc/dsm/mods/Readme.mod_mysql.txt index 8d4509b..2104a70 100644 --- a/doc/dsm/mods/Readme.mod_mysql.txt +++ b/doc/dsm/mods/Readme.mod_mysql.txt @@ -10,7 +10,6 @@ Actions: ======= -- connect connection - mysql.connect([db_url]) - sets $errno if error occured (arg,) and $db.ereason @@ -101,6 +100,17 @@ Actions: sets $db.rows, $db.info, $db.insert_id + -- escape: + mysql.escape($dstvar=$src); + + save SQL-escaped version of $src in $dstvar, taking into account default + character set of connected DB server. A connection to MySQL server must be + established! + + examples: + mysql.escape($safe_user=@user); + + Conditions ========== mysql.hasResult() _______________________________________________ Semsdev mailing list [email protected] http://lists.iptel.org/mailman/listinfo/semsdev
