From f4b2efba87fba1521023fe74b14a6c926bd5a4ec Mon Sep 17 00:00:00 2001
From: Michael Giagnocavo <mgg@giagnocavo.net>
Date: Wed, 29 Jul 2009 08:32:20 +0000
Subject: [PATCH] Be safe; use parameters. Detect bad ODBC drivers and refuse
 to load.

git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@14409 d0543943-73ff-0310-b7d9-9358b9ac24b2
---
 .../managed/examples/easyroute/App.config     |  8 ++-----
 .../managed/examples/easyroute/easyroute.fs   | 21 +++++++++++++------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/src/mod/languages/mod_managed/managed/examples/easyroute/App.config b/src/mod/languages/mod_managed/managed/examples/easyroute/App.config
index 2b5a86e71f..b2310e2f81 100644
--- a/src/mod/languages/mod_managed/managed/examples/easyroute/App.config
+++ b/src/mod/languages/mod_managed/managed/examples/easyroute/App.config
@@ -4,12 +4,8 @@
     <add key="connectionString" value="DSN=easyroute;User=root;Pwd=;" />
     <add key="defaultProfile" value="sofia/default"/>
     <add key="defaultGateway" value="192.168.1.1"/>
-    <!-- query can be changed, but fields must be in the same order, and the number parameter must be %number% -->
-    <add key="query" value="SELECT gateways.gateway_ip, gateways.group, gateways.limit, gateways.techprofile, numbers.acctcode, numbers.translated from gateways, numbers where numbers.number = %number% and numbers.gateway_id = gateways.gateway_id;" />
-    
-    <!-- MySQL and other DBs improperly consider \ to be an escape character. easyroute will remove all backslashes from queries to be safe. 
-         if you can handle backlashes properly, set keepBackslashes to true. -->
-    <!-- <add key="keepBackslashes" value="false" -->
+    <!-- query can be changed, but fields must be in the same order, and the number parameter must be ? -->
+    <add key="query" value="SELECT gateways.gateway_ip, gateways.group, gateways.limit, gateways.techprofile, numbers.acctcode, numbers.translated from gateways, numbers where numbers.number = ? and numbers.gateway_id = gateways.gateway_id;" />
     
     <!-- To avoid other injections, the incoming number will remove characters matching this regex. Default [^0-9#\*] allows only digits, # and *.-->
     <add key="numberRegexFilter" value="[^0-9#\*]" />
diff --git a/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.fs b/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.fs
index 1907d4b245..3779190b17 100644
--- a/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.fs
+++ b/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.fs
@@ -6,15 +6,25 @@ open FreeSWITCH
 type QueryResult = { dialstring: string; group: string; acctcode: string; limit: int; translated: string }
 
 module easyroute =
+    // Basic config
     let defaultStr def = function null | "" -> def | s -> s
     let getAppSetting (name:string) = match Configuration.ConfigurationManager.AppSettings.Get name with null -> "" | x -> x
     let connString      = getAppSetting "connectionString"
     let defaultProfile  = getAppSetting "defaultProfile"
     let defaultGateway  = getAppSetting "defaultGateway"
-    let query = getAppSetting "query"
+    let query           = getAppSetting "query"
     let configOk = [ connString; defaultProfile; defaultGateway; query; ] |> List.forall (String.IsNullOrEmpty >> not)
-    let keepBackslashes = defaultStr "false" (getAppSetting "keepBackslashes") = "true"
     let numberRegexFilter = defaultStr "[^0-9#]" (getAppSetting "numberRegexFilter")
+    
+    // Determine if ODBC driver quotes parameters properly - MySQL < 3.51.16 apparently does not
+    // We'll select the string "'" -- if quoting works, we'll get ' back. Otherwise, it'll fail, and we'll refuse to load
+    // Error 1064 seems to be the syntax error code MySQL returns. Otherwise, the exception will still stop it from loading, just less gracefully.
+    let odbcOk = use conn = new Odbc.OdbcConnection(connString)
+                 use comm = new Odbc.OdbcCommand("SELECT ?", conn)
+                 comm.Parameters.AddWithValue("@test", "'") |> ignore
+                 conn.Open()
+                 try string (comm.ExecuteScalar()) = "'" 
+                 with :? Odbc.OdbcException as ex when ex.Errors.Count > 0 && ex.Errors.[0].NativeError = 1064 -> false
                 
     let formatDialstring number gateway profile separator = 
         match separator with 
@@ -39,11 +49,9 @@ module easyroute =
     let lookup (number: string) sep =
         try
             let number = if numberRegexFilter = "" then number else Text.RegularExpressions.Regex.Replace(number, numberRegexFilter, "", regexOpts)
-            let number = if keepBackslashes        then number else number.Replace("\\", "") 
-            let query = query.Replace("%number%", sprintf "'%s'" (number.Replace("'", "''"))) // Don't use params cause some odbc drivers are awesome
-            Log.WriteLine(LogLevel.Debug, "EasyRoute query prepared: {0}", query)
             use conn = new Odbc.OdbcConnection(connString)
             use comm = new Odbc.OdbcCommand(query, conn)
+            comm.Parameters.AddWithValue("@number", number) |> ignore
             conn.Open()
             use reader = comm.ExecuteReader CommandBehavior.SingleRow
             match reader.Read() with
@@ -67,7 +75,8 @@ type EasyRoute() =
     interface ILoadNotificationPlugin with
         member x.Load() = 
             if not configOk then Log.WriteLine(LogLevel.Alert, "EasyRoute configuration is missing values.")
-            configOk
+            if not odbcOk   then Log.WriteLine(LogLevel.Critical, "ODBC driver doesn't handle quoting properly; upgrade driver.")
+            configOk && odbcOk
         
     interface IApiPlugin with
         member x.ExecuteBackground ctx =