From b5099c1e77849bb27b22b28381a3d62a19ef900f Mon Sep 17 00:00:00 2001
From: Alexey Melnichuk <alexeymelnichuck@gmail.com>
Date: Mon, 21 Nov 2016 23:54:19 +0300
Subject: [PATCH] Add. Use params in pin_number.lua (#2112)

---
 resources/install/scripts/pin_number.lua | 28 ++++++++++++++----------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/resources/install/scripts/pin_number.lua b/resources/install/scripts/pin_number.lua
index 4858b68e16..3700850094 100644
--- a/resources/install/scripts/pin_number.lua
+++ b/resources/install/scripts/pin_number.lua
@@ -45,9 +45,12 @@
 			sounds_dir = session:getVariable("sounds_dir");
 
 		--connect to the database
-			if (pin_number == "database") then
-				require "resources.functions.database_handle";
-				dbh = database_handle('system');
+			local Database = require "resources.functions.database";
+			dbh = Database.new('system');
+
+		--include json library
+			if (debug["sql"]) then
+				json = require "resources.functions.lunajson"
 			end
 	end
 
@@ -66,12 +69,12 @@
 				--get the domain_name
 				domain_name = session:getVariable("domain_name");
 				--get the domain_uuid using the domain_name
-				sql = [[SELECT domain_name FROM v_domains
-					WHERE domain_name = ']] .. domain_name ..[[' ]];
+				local sql = "SELECT domain_name FROM v_domains WHERE domain_name = :domain_name";
+				local params = {domain_name = domain_name};
 				if (debug["sql"]) then
-					freeswitch.consoleLog("NOTICE", "SQL: "..sql.."\n");
+					freeswitch.consoleLog("NOTICE", "[pin_number] SQL: "..sql.."; params: " .. json.encode(params) .. "\n");
 				end
-				dbh:query(sql, function(row)
+				dbh:query(sql, params, function(row)
 					domain_uuid = row["domain_uuid"];
 				end);
 			end
@@ -83,15 +86,16 @@
 
 		--validate the user pin number
 			if (pin_number == "database") then
-				sql = [[SELECT * FROM v_pin_numbers
-					WHERE pin_number = ']] .. digits ..[['
-					AND domain_uuid = ']] .. domain_uuid .. [['
+				local sql = [[SELECT * FROM v_pin_numbers
+					WHERE pin_number = :digits
+					AND domain_uuid = :domain_uuid
 					AND enabled = 'true' ]];
+				local params = {digits = digits, domain_uuid = domain_uuid};
 				if (debug["sql"]) then
-					freeswitch.consoleLog("NOTICE", "SQL: "..sql.."\n");
+					freeswitch.consoleLog("NOTICE", "[pin_number] SQL: "..sql.."; params: " .. json.encode(params) .. "\n");
 				end
 				auth = false;
-				dbh:query(sql, function(row)
+				dbh:query(sql, params, function(row)
 					--get the values from the database
 						accountcode = row["accountcode"];
 					--set the variable to true