[Users] avpops: new function avp_db_query()

Daniel-Constantin Mierla daniel at voice-system.ro
Fri Feb 17 18:59:16 CET 2006 

Hello Klaus,

On 02/17/06 14:59, Klaus Darilion wrote:
> Hi Daniel!
>
> cool new feature, some questions inline:
>
> Daniel-Constantin Mierla wrote:
>> Hello,
>>
>> avpops module has a new function which allow to execute raw SQL 
>> queries and store the result in AVPs.
>>
>> avp_db_query(query, dest);
>>
>> The query given as parameter can contain pseudo-variables. Using this 
>> function you can benefit of full database system features, being able 
>> to do joins, unions, etc. Old db-related functions are in place since 
>> they are faster for their usage case.
>>
>> The documentation of the of avpops module was updated and posted at:
>>
>> http://openser.org/docs/modules/1.1.x/avpops.html
>>
>> A small example of usage: limit the number of calls done in the last 
>> day:
>>
>> if(is_method("INVITE") && !has_totag())
>> {
>>     if(avp_db_query("select count(*) from acc where username='$fU' 
>> and domain='$fd' and method='INVITE' and timestamp>=$Ts-24*3600", 
>> "$avp(i:234)"))
>
> I guess the SQL query returns the result as string. Is the conversion 
> to int done when copying into the AVP?
the mysql module does the conversion, based on returned columns' types.
>
> What happens if the query returns multiple rows? Will the AVP be 
> defined multiple times?
Yes, the first AVP will correspond to the first row in result.
>
> Is it possible to retrieve multiple columns? e.g.
>  avp_db_query("select user,domain from ....", "$avp(user)$avp(domain)")
Yes, the destination list has to be separated by ';' => 
"$avp(user);$avp(domain)"
>
> Is the query SQL-injection save?
Depending of what you do and how :-). Authenticating the user should 
prevent bad values in From header and credentials, some character 
sequences are not allowed to be part of user or domain names. Using 
values from custom headers is quite risky, you have to use other 
technics to ensure a trusted value. So, I am sure that someone can get 
some examples of doing sql-injections even without using avp_db_query() 
, there are many other modules doing SQL queries using parts of SIP 
message, but these situations can be avoided if you know what you are 
doing in the script. I do not know a technique to prevent 100% 
SQL-injections, are you aware of?

Cheers,
Daniel

>
> regards
> klaus
>
>>    {
>>       if(avp_chech("$avp(i:234)", "ge/i:10"))
>>      {
>>          sl_send_reply("403", "too many calls in the last day");
>>          exit();
>>     }
>>   }
>> }
>>
>> Cheers,
>> Daniel
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>
>

More information about the Users mailing list