From 8cc991f6f576b7c30d82e15107c6f0052dbeadff Mon Sep 17 00:00:00 2001 From: Michael Clemens Date: Thu, 1 May 2014 11:42:10 +0200 Subject: [PATCH] added string escaping --- sqlite-output.nse | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sqlite-output.nse b/sqlite-output.nse index d440de8..424aff9 100644 --- a/sqlite-output.nse +++ b/sqlite-output.nse @@ -44,7 +44,7 @@ end env = luasql.sqlite3() con = env:connect(dbname) -res = con:execute (string.format("CREATE TABLE '%s' (hostname varchar(100), ip varchar(16), port integer(5), protocol varchar(3), service varchar(100), version varchar(100))", dbtable)) +res = con:execute (string.format("CREATE TABLE '%s' (hostname varchar(100), ip varchar(16), port integer(5), protocol varchar(3), service varchar(100), version varchar(100))", con:escape(dbtable))) function portaction (host, port) local version = "" @@ -54,7 +54,8 @@ function portaction (host, port) if (port.version.version~=nil) then version = version .. port.version.version end - res = con:execute(string.format("INSERT INTO '%s' VALUES ('%s', '%s', '%s', '%s', '%s', '%s')" , dbtable, host.name, host.ip, port.number, port.protocol, port.service, version)) + res = con:execute(string.format("INSERT INTO '%s' VALUES ('%s', '%s', '%s', '%s', '%s', '%s')" , con:escape(dbtable), con:escape(host.name), con:escape(host.ip), con:escape(port.number), con:escape(port.protocol), con:escape(port.service), con:escape(version))) + end function postaction ()