diff options
author | Alexey Shchepin <alexey@process-one.net> | 2016-05-12 18:32:13 +0300 |
---|---|---|
committer | Alexey Shchepin <alexey@process-one.net> | 2016-05-13 17:56:48 +0300 |
commit | 792f47b4bd3c4f423fd25c31b5f8ae82ac59b28b (patch) | |
tree | aed1938b1868878cc3463ada565c8ad05b9c05e6 /src/nodetree_tree_sql.erl | |
parent | Fix C2S session data leak (#1078) (diff) |
Update SQL escaping
Diffstat (limited to 'src/nodetree_tree_sql.erl')
-rw-r--r-- | src/nodetree_tree_sql.erl | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/nodetree_tree_sql.erl b/src/nodetree_tree_sql.erl index b56543395..17ae91b52 100644 --- a/src/nodetree_tree_sql.erl +++ b/src/nodetree_tree_sql.erl @@ -196,11 +196,11 @@ get_subnodes_tree(Host, Node, _From) -> get_subnodes_tree(Host, Node) -> H = node_flat_sql:encode_host(Host), - N = ejabberd_sql:escape(Node), + N = ejabberd_sql:escape(ejabberd_sql:escape_like_arg_circumflex(Node)), case catch ejabberd_sql:sql_query_t([<<"select node, parent, type, nodeid from " "pubsub_node where host='">>, - H, <<"' and node like '">>, N, <<"%';">>]) + H, <<"' and node like '">>, N, <<"%' escape '^';">>]) of {selected, [<<"node">>, <<"parent">>, <<"type">>, <<"nodeid">>], RItems} -> @@ -256,10 +256,10 @@ create_node(Host, Node, Type, Owner, Options, Parents) -> delete_node(Host, Node) -> H = node_flat_sql:encode_host(Host), - N = ejabberd_sql:escape(Node), + N = ejabberd_sql:escape(ejabberd_sql:escape_like_arg_circumflex(Node)), Removed = get_subnodes_tree(Host, Node), catch ejabberd_sql:sql_query_t([<<"delete from pubsub_node where host='">>, - H, <<"' and node like '">>, N, <<"%';">>]), + H, <<"' and node like '">>, N, <<"%' escape '^';">>]), Removed. %% helpers |