On Wed, Mar 28, 2001 at 01:01:30AM -0500, Mordechai T. Abzug wrote:
On Tue, Mar 27, 2001 at 06:37:30PM -0600, Chad C. Walstrom wrote:
template("INSERT INTO mytable ( host, facility, priority, level, tag, date, time, program, msg) VALUES( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n"));
NB: from a security perspective, this may not be a good idea. What if $MSG is created by a hostile host and includes a single quote followed by some SQL statement? This is the standard "mixed code + externally supplied data" problem.
Thanks for the tip. That's a good thing to point out. Hostile or not, messages could have characters that need to be escaped. In terms of robust design, my suggestion probably falls along the lines of a hack. ;-) Also, in terms of portable SQL, my use of INTO is inappropriate. ;-) -- Chad Walstrom <chewie@wookimus.net> | a.k.a. ^chewie http://www.wookimus.net/ | s.k.a. gunnarr Key fingerprint = B4AB D627 9CBD 687E 7A31 1950 0CC7 0B18 206C 5AFD