Hello, On 12.01.24 11:56, Benoît Panizzon wrote: > Hi Daniel > >> comma is not allowed in an unquoted value for SIP parameters because >> it is separator for header bodies that are set on the same header >> name. Practically the comma is the end of parameters list. > Thank you for your confirmation I was on the right track. > >> It should work with: >> >> xavp_params_explode("a=foo;c=\"hello,world\";e=baar", "x"); > Any recipe on how to solve if the value is the 'authentication' > password taken from the database? As far as I understood the SIP RFC a > comma is permitted in the SIP password itself, as it is never present > cleartext in a sip header. > > Quick example of what I do when receiving a REGISTER with credentials to pull > the password: > > $var(query) = "select user,password,language from sometable where auth_user = > '" + $var(auth_user) + "' limit 1"; > $var(qresult) = sql_xquery("database", "$var(query)", "userdata"); > xavp_params_implode("userdata","$var(xuserdata)"); > > $var(xuserdata) is "user=JohnDoe;password=secret,password;language=de_CH" > > This is the stored in an $sht to be cached and available for a while and > reducde SQL queries. > > I guess there is no way to have sql_xquery automatically quote result fields > that need quoting. > > I could probably do select user,concat('"',password,'"'),language from > sometable? > > This could also be a potential issue with variable injections via SQL. > Immagine some use sets a password ";var=value" this would lead to this var > being overwritten I guess. > > We are moving towards storing ha1 hashed passwords, so that would solve my > issue I guess.
the devel version has a new function to implode with values between quotes: - https://www.kamailio.org/docs/modules/devel/modules/pv.html#pv.f.xavp_params_implode_qval If you expect any kind of characters, maybe hexa/base32/base64 encoding/decoding is a variant to explore. Cheers, Daniel -- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy, Training and Development Services -- asipto.com Kamailio Advanced Training, February 20-22, 2024 -- asipto.com Kamailio World Conference, April 18-19, 2024, Berlin -- kamailioworld.com
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-le...@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: