From 0ae418d89c3725ca72510467e8cfa55adefc8c6b Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@helsinki.at>
Date: Wed, 16 Mar 2011 14:59:35 +0000
Subject: sql string escaping at tempstorage


diff --git a/nopsyncd/rddb.lua b/nopsyncd/rddb.lua
index e7ed14e..56c73b7 100644
--- a/nopsyncd/rddb.lua
+++ b/nopsyncd/rddb.lua
@@ -32,7 +32,7 @@ function rddb:init()
    end
 
    -- TODO: read /etc/rd.conf for connection info
-   self.con, err = self.env:connect("rivendell", "rivendellro", "lldrivenro", "127.0.0.1")
+   self.con, err = self.env:connect("rivendell", "rivendellro", "lldrivenro", "192.168.1.16")
    if self.con == nil then
       return nil, err
    end
diff --git a/nopsyncd/tempstorage.lua b/nopsyncd/tempstorage.lua
index 37f3422..d40ee42 100644
--- a/nopsyncd/tempstorage.lua
+++ b/nopsyncd/tempstorage.lua
@@ -61,14 +61,16 @@ function tempstorage:getLastCart()
 end
 
 function tempstorage:insertMusic(timestamp, cart, len, title, artist, album)
+   timestamp = tonumber(timestamp)
    cart = tonumber(cart)
+   len = tonumber(len)
    if cart < 400000 or cart > 450000 then
       poolnum = 0
    else
       poolnum = math.floor(cart/1000) - 399
    end
-   -- TODO escape "' in strings"
-   local cur, err = self.con:execute("INSERT into now VALUES(" .. timestamp .. ", " .. cart .. ", " .. len .. ", 'Musikpool " .. poolnum .. "', '" .. title .. "', '" .. artist .."', '" .. album .. "', 1)")
+   -- usage of undocumented escape function...
+   local cur, err = self.con:execute("INSERT into now VALUES(" .. timestamp .. ", " .. cart .. ", " .. len .. ", 'Musikpool " .. poolnum .. "', '" .. self.con:escape(title) .. "', '" .. self.con:escape(artist) .."', '" .. self.con:escape(album) .. "', 1)")
    if cur == nil then
       return nil, err
    end
-- 
cgit v0.10.2