fix sql queries to use escaped parameters

git-svn-id: file:///root/webif/svn/humax/pkg/src/webif/trunk@339 2a923420-c742-0410-a762-8d5b09965624

CONTROL/control

@@ -1,7 +1,7 @@
 Package: webif
 Priority: optional
 Section: web
-Version: 0.6.6
+Version: 0.6.6-1
 Architecture: mipsel
 Maintainer: af123@hummypkg.org.uk
 Depends: mongoose(>=3.0-2),jim(>=0.71-1),jim-sqlite3(>=0.71-1),jim-cgi(>=0.4),jim-oo,jim-pack,service-control,busybox(>=1.18.3-1),lsof,epg(>=1.0.3),hmt(>=1.0.6),ssmtp

var/mongoose/lib/epg.class

@@ -136,7 +136,7 @@ epg method get_channel_info {} {
 		set chan [lindex [$channeldb query {
 			select szSvcName, usLcn, aucDefaultAuthority, hsvc
 			from TBL_SVC
-			where usSvcId = %s} $service_id
+			where usSvcId = '%s'} $service_id
 		    ] 0]
 		if {[dict exists $chan usLcn]} {
 			set channel_num $chan(usLcn)

var/mongoose/lib/rsv.class

@@ -119,13 +119,13 @@ rsv method remove_pending {} {
 rsv method fix_hsvc {} {
 	global rsvdb
 
-	set _hsvc [$rsvdb query "
+	set _hsvc [$rsvdb query {
 		select hSvc
 		from channel.TBL_SVC
-		where szSvcName = '$szSvcName'
+		where szSvcName = '%s'
-		or szSvcname = '\025$szSvcName'
+		or szSvcname = '\025%s'
 		limit 1
-	"]
+	} $szSvcName $szSvcName]
 
 	if {[llength $_hsvc] == 1} {
 		set hsvc [lindex [lindex $_hsvc 0] 1]