[OpenSIPS-Devel] [opensips] db_sqlite3 sql statements not escaped (#473)

Tue Apr 21 00:34:53 CEST 2015

#### opensips log error
localhost opensips: ERROR:db_sqlite:db_sqlite_insert: failed to prepare: (near "1.0": syntax error)
localhost opensips: ERROR:db_sqlite:db_sqlite_insert: insert query failed near "1.0": syntax error

#### gdb query
(gdb) print query_holder                                                        
$3 = {                                                                          
  s = 0x852740 <sql_buf> "insert into presentity (domain,username,event,etag,expires,sender,body,received_time ) values ('sqlite.sipy.org','jarrod','presence','a.1429566087.15836.8.0',1429569706,'','<?xml version='1.0' encodin"..., len = 655}

#### synopsis
the val2str seems to simply use strncpy for appending the the sql buffer which obviously will not escape single quotes.  the preferred method is probably to use bindings to prepared statements (https://www.sqlite.org/c3ref/bind_blob.html) which would entail replacing the values with ? or so and relooping over the value array using the index as the second argument of something like sqlite3_bind_text.  The libsqlite3 also seems to include sqlite3_snprintf and some other functions but they dont appear to be safe.

going home, just reporting this here, thanks.

---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/issues/473
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20150420/c5d3a0db/attachment-0001.htm>