Hi, could somebody tell me which characteres are allowd in a SIP URI? which RFC defines it?
I ask it because I do a DB query with $ru so a SQL injection it's possible if RURI contains single or double '
So at the begining of the script I'd like to reject a message if the RURI contains illegal symbols.
Could be useful a core function for this?
Regards.
1. You want to take a look at pseudo variable transformations and its escape features. http://www.openser.org/dokuwiki/doku.php/transformations:1.2.x
2. Try to avoid raw SQL queries.
regards klaus
Iñaki Baz Castillo schrieb:
Hi, could somebody tell me which characteres are allowd in a SIP URI? which RFC defines it?
I ask it because I do a DB query with $ru so a SQL injection it's possible if RURI contains single or double '
So at the begining of the script I'd like to reject a message if the RURI contains illegal symbols.
Could be useful a core function for this?
Regards.
El Thursday 15 November 2007 16:05:40 Klaus Darilion escribió:
- You want to take a look at pseudo variable transformations and its
escape features. http://www.openser.org/dokuwiki/doku.php/transformations:1.2.x
Thanks a lot, I didn't see them.
- Try to avoid raw SQL queries.
Yeah, I just need to do one anyway.
Best regards.
El Thursday 15 November 2007 16:28:48 Iñaki Baz Castillo escribió:
El Thursday 15 November 2007 16:05:40 Klaus Darilion escribió:
- You want to take a look at pseudo variable transformations and its
escape features. http://www.openser.org/dokuwiki/doku.php/transformations:1.2.x
Thanks a lot, I didn't see them.
Ok, now I do:
if ($ru != $(ru{s.escape.common}) || $rU != $(rU{s.escape.user})) { sl_send_reply("403", "Forbidden, illegal characters in RURI"); exit; }
;)
-
Iñaki Baz Castillo -
Klaus Darilion