(RADIATOR) Feature request: %{Quote:value}, nested and default value string formatting
Robert Blayzor
rblayzor.bulk at inoc.net
Thu Mar 20 08:15:29 CST 2008
Robin Breathe wrote:
> What if Called-Station-Id contains an SQL escape attack? (Perhaps this
> sounds silly, but we'll be receiving proxied requests from other
> organisations...).
If you have that much concern, why not just make a hook that just cleans
up the values? ie: strip characters you don't want to see?
ie:
sub {
my $p = ${$_[0]};
my $cid = p$->get_attr('Called-Station-Id');
if ($cid) {
$cid =~ s/\"//g;
$p->change_attr('Called-Station-Id', $cid);
}
}
Of course, if you're concerned with more attributes you can build more
PERL to just step through the ones you want to clean up, ie:
sub {
my $p = ${$_[0]};
foreach my $a ('Called-Station-Id', 'Calling-Station-Id',
'Connect-Info') {
if (my $v = $p->get_attr($a)) {
$v =~ s/\"//g;
$p->change_attr($a, $v);
}
}
--
Robert Blayzor
INOC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/
Mac OS X. Because making Unix user-friendly is easier than debugging
Windows.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list