[Bug 83] New: sql (oracle) queries dont escape single quotes
https://bugzilla.balabit.com/show_bug.cgi?id=83 Summary: sql (oracle) queries dont escape single quotes Product: syslog-ng Version: 3.1.x Platform: Other OS/Version: Linux Status: NEW Severity: major Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: bugzilla.syslogng@feystorm.net Type of the Report: --- Estimated Hours: 0.0 SQL inserts with values containing single quotes dont escape the quotes causing the inserts to fail. Jun 1 22:08:24 slider syslog-ng.515[20417]: Error running SQL query; type='oracle', host='', port='', user='report_agent', database='oru23', error='1400: ORA-01400: cannot insert NULL into ("CMS_DBO"."MESSAGE_TRACKING"."MSGID")\x0a', query='INSERT INTO cms_dbo.message_tracking (host, msg_dt, pname, message, msgid, xid, from_name, from_domain, to_name, to_domain, addr) VALUES (\'iceman.dev.usa.net\', \'2010-06-01 22:08:22\', \'smtad\', \'[4155186080] 000000007 ok XID: XID007oFawiw8111Xem MsgID: <4C0584D4.50007@devo0402.dev.usa.net> Dest: cms:gwsin IP: 165.212.101.13 From: <phemmer@devo0402.dev.usa.net> Rcpt: <phemmer@devo0402.dev.usa.net> Subject: \'\'Re: asdf\'\' Size: 22400 Response: 250 Mail accepted (292oFawiw3072Mem)\', NULL, \'XID007oFawiw8111Xem\', \'phemmer\', \'devo0402.dev.usa.net\', \'phemmer\', \'devo0402.dev.usa.net\', \'165.212.101.13\')' The part that is causing the problem is the 'message' field with value: [4155186080] 000000007 ok XID: XID007oFawiw8111Xem MsgID: <4C0584D4.50007@devo0402.dev.usa.net> Dest: cms:gwsin IP: 165.212.101.13 From: <phemmer@devo0402.dev.usa.net> Rcpt: <phemmer@devo0402.dev.usa.net> Subject: ''Re: asdf'' Size: 22400 Response: 250 Mail accepted (292oFawiw3072Mem) ^^that is what is passed in the insert statement. As you can see, there are 2 single-quotes around the subject. The string as it gets passed to syslog-ng is: ...Subject: 'Re: asdf' Size... So instead of escaping the single quote, it adds another quote. The afsql.c code calls dbi_conn_quote_string_copy to escape it, but this is obviously failing to do so (and not only fails, but for some reason adds a second quote. I'm attempting to find a simple fix for this, but there doesnt appear to be a clean & proper way of doing this. But I'll keep digging as this is a fairly significant flaw which I have to get fixed before using this in production. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=83 Patrick <bugzilla.syslogng@feystorm.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|major |minor Resolution| |INVALID Status|NEW |RESOLVED --- Comment #1 from Patrick <bugzilla.syslogng@feystorm.net> 2010-06-02 00:45:15 --- Edit, nevermind I am an idiot. Reading up and apparently that's how oracle escapes single-quotes (I rarely use oracle). The quote was actually breaking my parser (I thought the null error was because the quote was throwing the values out of order with the columns. This can be closed. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=83 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Balazs Scheidler <bazsi@balabit.hu> 2010-06-03 13:05:29 --- thanks for reporting back. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
bugzilla@bugzilla.balabit.com