20 Feb
2006
20 Feb
'06
4:23 p.m.
On 02/20/06 15:19, Klaus Darilion wrote:
Daniel-Constantin Mierla wrote:
To perform
regular expression matching you have to use the 're' operation.
avp_check("$avp(s:foo)", "re/\"/g");
Cheers,
Daniel
Hello Klaus,
On 02/20/06 12:31, Klaus Darilion wrote:
I didn't found out how to use avp_check thus I used avp_subst. Daniel-Constantin Mierla wrote:
I am not sure I got what you want to achieve with this statement. Do
you want to forbid messages which have quotes or some other
"dangerous" characters in some pseudo-variables? Or you want to
escape the quotes?
You can do quoting and escaping from the script, as you already
mentioned, using avp_subst(). Checks for special characters like
quotes or double dash can be done via avp_check(). Hello Klaus,
On 02/17/06 14:59, Klaus Darilion wrote:
> Is the query SQL-injection save?
Depending of what you do and how :-). Authenticating the user
should prevent bad values in From header and credentials, some
character sequences are not allowed to be part of user or domain
names. Using values from custom headers is quite risky, you have to
use other technics to ensure a trusted value. So, I am sure that
someone can get some examples of doing sql-injections even without
using avp_db_query() , there are many other modules doing SQL
queries using parts of SIP message, but these situations can be
avoided if you know what you are doing in the script. I do not know
a technique to prevent 100% SQL-injections, are you aware of?
AFAIK there are 2 ways to prevent SQL injection.
1. quoting and escaping
2. Do not provide the user input in the SQL query, but explicit as
parameter. This way, the DB client library prevents SQL injection.
I've checked the postgresql module, which supports both version. If
"params" are defined, the safe version is used. But, when raw
queries are used, there is no protection through the API, thus,
checks must done before. Does this query work?
if (avp_subst("s:foo","/\"//")) {
sl_send_reply("403","bad syntax");
}
regards
klaus
Cheers,
Daniel
>
>
> regards
> klaus
>