Commit 39894fca authored by Ted Trask's avatar Ted Trask
Browse files

Fix to use escape function from db library

parent 52313309
......@@ -98,22 +98,22 @@ local generatewhereclause = function(username, message, foldername, uid)
local sql = ""
local where = {}
if username and username ~= "" then
where[#where+1] = "username = '"..escape(username).."'"
where[#where+1] = "username = '"..vmaildb.escape(username).."'"
end
if message and type(message) == "string" and message ~= "" then
where[#where+1] = "uuid = '"..escape(message).."'"
where[#where+1] = "uuid = '"..vmaildb.escape(message).."'"
elseif message and type(message) == "table" and #message > 0 then
local where2 = {}
for i,m in ipairs(message) do
where2[#where2+1] = "uuid = '"..escape(m).."'"
where2[#where2+1] = "uuid = '"..vmaildb.escape(m).."'"
end
where[#where+1] = "(" .. table.concat(where2, " OR ") .. ")"
end
if foldername and foldername ~= "" then
where[#where+1] = "in_folder = '"..escape(foldername).."'"
where[#where+1] = "in_folder = '"..vmaildb.escape(foldername).."'"
end
if uid and uid ~= "" then
where[#where+1] = "uid = '"..escape(uid).."'"
where[#where+1] = "uid = '"..vmaildb.escape(uid).."'"
end
if #where > 0 then
sql = " WHERE " .. table.concat(where, " AND ")
......@@ -209,7 +209,7 @@ local setuserparams = function(userparams)
for i,parm in ipairs(params) do
if parm.name and not ignoreparam[parm.name] then
if userparams[parm.name] and (userparams[parm.name].value ~= nil) and tostring(userparams[parm.name].value) ~= parm.value then
sql = "INSERT INTO voicemail_values VALUES('"..escape(uid[1].uid).."', '"..escape(parm.nid).."', '"..escape(tostring(userparams[parm.name].value)).."')"
sql = "INSERT INTO voicemail_values VALUES('"..vmaildb.escape(uid[1].uid).."', '"..vmaildb.escape(parm.nid).."', '"..vmaildb.escape(tostring(userparams[parm.name].value)).."')"
vmaildb.runsqlcommand(sql, true)
end
end
......@@ -221,10 +221,10 @@ local setuserparams = function(userparams)
local password = vmaildb.getselectresponse(sql, true)
if #password > 0 then
-- update
sql = "UPDATE voicemail_prefs SET password='"..escape(userparams["vm-password"].value).."'"..generatewhereclause(userparams.username.value)
sql = "UPDATE voicemail_prefs SET password='"..vmaildb.escape(userparams["vm-password"].value).."'"..generatewhereclause(userparams.username.value)
else
-- insert
sql = "INSERT INTO voicemail_prefs (username, domain, password) VALUES ('"..escape(userparams.username.value).."', '"..escape(config.domain).."', '"..escape(userparams["vm-password"].value).."')"
sql = "INSERT INTO voicemail_prefs (username, domain, password) VALUES ('"..vmaildb.escape(userparams.username.value).."', '"..vmaildb.escape(config.domain).."', '"..vmaildb.escape(userparams["vm-password"].value).."')"
end
vmaildb.runsqlcommand(sql, true)
end
......@@ -550,7 +550,7 @@ mymodule.move_message = function(self, moverequest)
-- Check if newfolder exists
if validfolder(moverequest.value.newfolder.value) then
for i,m in ipairs(mess) do
local sql = "UPDATE voicemail_msgs SET in_folder='"..escape(moverequest.value.newfolder.value).."'" .. generatewhereclause(moverequest.value.username.value, messages)
local sql = "UPDATE voicemail_msgs SET in_folder='"..vmaildb.escape(moverequest.value.newfolder.value).."'" .. generatewhereclause(moverequest.value.username.value, messages)
vmaildb.runsqlcommand(sql)
end
if #mess == 1 then
......@@ -739,7 +739,7 @@ mymodule.update_usersettings = function(self, usersettings, action, create)
errtxt = "User does not exist"
else
if create then
sql = "INSERT INTO voicemail_users VALUES(null, '"..escape(usersettings.value.username.value).."')"
sql = "INSERT INTO voicemail_users VALUES(null, '"..vmaildb.escape(usersettings.value.username.value).."')"
vmaildb.runsqlcommand(sql)
end
success,errtxt = setuserparams(usersettings.value)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment