Summary:ASTERISK-02366: [request] [patch] Lightweight ODBC API for asterisk
Reporter:constfilin (constfilin)Labels:
Date Opened:2004-09-08 04:10:34Date Closed:2004-10-06 20:41:31
Versions:Frequency of
Environment:Attachments:( 0) astodbc.cpp
( 1) astodbc.cpp
( 2) astodbc.h
( 3) astodbc.h
( 4) astodbc.tgz
( 5) ODBCQuery.cpp
( 6) ODBCQuery.cpp
( 7) ODBCQuery.h
( 8) ODBCQuery.h
Description:This is a suggestion to put into asterisk CVS a lightweight library to
access ODBC in a uniform and easy way. The library is called "astodbc".

There are 3 reasons why this is separate from "res_odbc":

1) "res_odbc" assumes that there is an ODBC DSN registered on the system
  and calls SQLConnect. "astodbc" requires less system configuration
  footprint by calling "SQLDriverConnect".

2) "astodbc" optionally reuses connection pooling in the ODBC driver
  instead of re-implmenting it as in "res_odbc".

3) The library is wraps around ODBC API making most of ODBC functionality
  much easier to access.

The library internals is in C++ - my sincere apologies to C adepts,
I will re-write this to C once I got time.

However, the interface to the library is in pure C and it is declared
in file "astodbc/astodbc.h". I am submitting the sources and the

I would appreciate your feedback.


Comments:By: constfilin (constfilin) 2004-09-09 05:09:02

I am attaching astodbc.h file for easier reviewing.

Also I am attaching astodbc.cpp and ODBCQuery.cpp with some bugs fixed.

By: Brian West (bkw918) 2004-09-09 13:38:33

SQLExecDirect == BAD BAD BAD

You open yourself up for sql injection if you don't first prepare the statement then exec it.  Check how cdr_odbc does it.


By: constfilin (constfilin) 2004-09-09 16:55:06

Thanks for the attention and comment.

Actually astodbc is a library it is up to the application using the
library to prevent SQL code injection.

If you feel like the library should be added a function that works through SQLPrepare, SQLBindParameter and SQLExecute, then please state so. IMHO,
adding this functionality will complicate the API and make the library a bit less lightweight.

By: Brian West (bkw918) 2004-09-09 19:05:46

NO its not up to the application at all.. NEVER NEVER assume that.  Because the first you will see is some ninny on /. saying they found a way to attack an asterisk machine via callerid or something silly like registration where it can drop your database by just trying to register with a carefully crafted registration request.  Now you have many ways to do this.. but i'm sure we can come up with something to make it simple :)


By: constfilin (constfilin) 2004-09-09 20:19:02

I added a few functions to astodbc.h:

const char*     ast_odbc_query_getstring_by_ndx( void* query, int fndx, const char* defaultValue );
int             ast_odbc_query_getint_by_ndx ( void* query, int fndx, int defaultValue );
short           ast_odbc_query_getbool_by_ndx( void* query, int fndx, short defaultValue );
time_t          ast_odbc_query_gettime_by_ndx( void* query, int fndx, time_t defaultValue );
int             ast_odbc_query_get_column_count( void* query );
const char*     ast_odbc_query_get_column_name( void* query, int ndx );

The necessary code changes are attached. As for prevention of SQL code injection attack - we can add this functionality later. Perhaps - for now -
it should be stated somewhere next to ast_odbc_query_new() that it is
application responsibility to escape all strings in sql queries and prevent SQL code injection.



By: Mark Spencer (markster) 2004-10-06 19:48:27

We've added new "realtime" support to Asterisk (see new IAX2 changes, SIP soon to follow) using combined work from myself, tony and your ideas.