Hello Klaus,
On 02/17/06 14:59, Klaus Darilion wrote:
Hi Daniel!
cool new feature, some questions inline:
Daniel-Constantin Mierla wrote:
Hello,
avpops module has a new function which allow to execute raw SQL queries and store the result in AVPs.
avp_db_query(query, dest);
The query given as parameter can contain pseudo-variables. Using this function you can benefit of full database system features, being able to do joins, unions, etc. Old db-related functions are in place since they are faster for their usage case.
The documentation of the of avpops module was updated and posted at:
http://openser.org/docs/modules/1.1.x/avpops.html
A small example of usage: limit the number of calls done in the last day:
if(is_method("INVITE") && !has_totag()) { if(avp_db_query("select count(*) from acc where username='$fU' and domain='$fd' and method='INVITE' and timestamp>=$Ts-24*3600", "$avp(i:234)"))
I guess the SQL query returns the result as string. Is the conversion to int done when copying into the AVP?
the mysql module does the conversion, based on returned columns' types.
What happens if the query returns multiple rows? Will the AVP be defined multiple times?
Yes, the first AVP will correspond to the first row in result.
Is it possible to retrieve multiple columns? e.g. avp_db_query("select user,domain from ....", "$avp(user)$avp(domain)")
Yes, the destination list has to be separated by ';' => "$avp(user);$avp(domain)"
Is the query SQL-injection save?
Depending of what you do and how :-). Authenticating the user should prevent bad values in From header and credentials, some character sequences are not allowed to be part of user or domain names. Using values from custom headers is quite risky, you have to use other technics to ensure a trusted value. So, I am sure that someone can get some examples of doing sql-injections even without using avp_db_query() , there are many other modules doing SQL queries using parts of SIP message, but these situations can be avoided if you know what you are doing in the script. I do not know a technique to prevent 100% SQL-injections, are you aware of?
Cheers, Daniel
regards klaus
{ if(avp_chech("$avp(i:234)", "ge/i:10")) { sl_send_reply("403", "too many calls in the last day"); exit(); } } }
Cheers, Daniel
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users