[MERGED] osmo-msc[master]: sms db: properly quote MSISDN in various SQL queries

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Thu Dec 7 22:36:44 UTC 2017 

Harald Welte has submitted this change and it was merged.

Change subject: sms db: properly quote MSISDN in various SQL queries
......................................................................


sms db: properly quote MSISDN in various SQL queries

Related: OS#2706
Change-Id: I793a3863e6f4ccbabafc7dabaff97a8c79bbd8e0
---
M src/libmsc/db.c
1 file changed, 18 insertions(+), 5 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified

Objections:
  Max: I would prefer this is not merged as is



diff --git a/src/libmsc/db.c b/src/libmsc/db.c
index ca27b6a..eba4b1b 100644
--- a/src/libmsc/db.c
+++ b/src/libmsc/db.c
@@ -836,6 +836,7 @@
 	struct gsm_network *net = vsub->vlr->user_ctx;
 	dbi_result result;
 	struct gsm_sms *sms;
+	char *q_msisdn;
 
 	if (!vsub->lu_complete)
 		return NULL;
@@ -844,13 +845,16 @@
 	if (*vsub->msisdn == '\0')
 		return NULL;
 
+	dbi_conn_quote_string_copy(conn, vsub->msisdn, &q_msisdn);
 	result = dbi_conn_queryf(conn,
 		"SELECT * FROM SMS"
 		" WHERE sent IS NULL"
-		" AND dest_addr=%s"
+		" AND dest_addr = %s"
 		" AND deliver_attempts <= %u"
 		" ORDER BY id LIMIT 1",
-		vsub->msisdn, max_failed);
+		q_msisdn, max_failed);
+	free(q_msisdn);
+
 	if (!result)
 		return NULL;
 
@@ -872,14 +876,18 @@
 {
 	dbi_result result;
 	struct gsm_sms *sms;
+	char *q_last_msisdn;
 
+	dbi_conn_quote_string_copy(conn, last_msisdn, &q_last_msisdn);
 	result = dbi_conn_queryf(conn,
 		"SELECT * FROM SMS"
 		" WHERE sent IS NULL"
-		" AND dest_addr > '%s'"
+		" AND dest_addr > %s"
 		" AND deliver_attempts <= %u"
 		" ORDER BY dest_addr, id LIMIT 1",
-		last_msisdn, max_failed);
+		q_last_msisdn, max_failed);
+	free(q_last_msisdn);
+
 	if (!result)
 		return NULL;
 
@@ -936,11 +944,16 @@
 int db_sms_delete_by_msisdn(const char *msisdn)
 {
 	dbi_result result;
+	char *q_msisdn;
 	if (!msisdn || !*msisdn)
 		return 0;
+
+	dbi_conn_quote_string_copy(conn, msisdn, &q_msisdn);
 	result = dbi_conn_queryf(conn,
 		    "DELETE FROM SMS WHERE src_addr=%s OR dest_addr=%s",
-		    msisdn, msisdn);
+		    q_msisdn, q_msisdn);
+	free(q_msisdn);
+
 	if (!result) {
 		LOGP(DDB, LOGL_ERROR,
 		     "Failed to delete SMS for %s\n", msisdn);

-- 
To view, visit https://gerrit.osmocom.org/5184
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I793a3863e6f4ccbabafc7dabaff97a8c79bbd8e0
Gerrit-PatchSet: 2
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Max <msuraev at sysmocom.de>
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>

More information about the gerrit-log mailing list