sql string escaping at tempstorage

2 files changed, 5 insertions, 3 deletions

diff --git a/nopsyncd/rddb.lua b/nopsyncd/rddb.lua
index e7ed14e..56c73b7 100644
--- a/nopsyncd/rddb.lua
+++ b/nopsyncd/rddb.lua
@@ -32,7 +32,7 @@ function rddb:init()
    end
 
    -- TODO: read /etc/rd.conf for connection info
-   self.con, err = self.env:connect("rivendell", "rivendellro", "lldrivenro", "127.0.0.1")
+   self.con, err = self.env:connect("rivendell", "rivendellro", "lldrivenro", "192.168.1.16")
    if self.con == nil then
       return nil, err
    end
diff --git a/nopsyncd/tempstorage.lua b/nopsyncd/tempstorage.lua
index 37f3422..d40ee42 100644
--- a/nopsyncd/tempstorage.lua
+++ b/nopsyncd/tempstorage.lua
@@ -61,14 +61,16 @@ function tempstorage:getLastCart()
 end
 
 function tempstorage:insertMusic(timestamp, cart, len, title, artist, album)
+   timestamp = tonumber(timestamp)
    cart = tonumber(cart)
+   len = tonumber(len)
    if cart < 400000 or cart > 450000 then
       poolnum = 0
    else
       poolnum = math.floor(cart/1000) - 399
    end
-   -- TODO escape "' in strings"
-   local cur, err = self.con:execute("INSERT into now VALUES(" .. timestamp .. ", " .. cart .. ", " .. len .. ", 'Musikpool " .. poolnum .. "', '" .. title .. "', '" .. artist .."', '" .. album .. "', 1)")
+   -- usage of undocumented escape function...
+   local cur, err = self.con:execute("INSERT into now VALUES(" .. timestamp .. ", " .. cart .. ", " .. len .. ", 'Musikpool " .. poolnum .. "', '" .. self.con:escape(title) .. "', '" .. self.con:escape(artist) .."', '" .. self.con:escape(album) .. "', 1)")
    if cur == nil then
       return nil, err
    end