[syslog-ng]Feature Request

Chad C. Walstrom chewie@wookimus.net
Wed, 28 Mar 2001 00:23:14 -0600 

--JYK4vJDZwFMowpUq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Mar 28, 2001 at 01:01:30AM -0500, Mordechai T. Abzug wrote:
> On Tue, Mar 27, 2001 at 06:37:30PM -0600, Chad C. Walstrom wrote:
>=20
> >     template("INSERT INTO mytable ( host, facility, priority, level, ta=
g, date, time, program, msg) VALUES( '$HOST', '$FACILITY', '$PRIORITY', '$L=
EVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' )=
;\n"));           =20
>=20
> NB: from a security perspective, this may not be a good idea.  What if
> $MSG is created by a hostile host and includes a single quote followed
> by some SQL statement?  This is the standard "mixed code + externally
> supplied data" problem.

Thanks for the tip.  That's a good thing to point out.  Hostile or not,
messages could have characters that need to be escaped.  In terms of
robust design, my suggestion probably falls along the lines of a hack.
;-)  Also, in terms of portable SQL, my use of INTO is inappropriate.
;-)

--=20
Chad Walstrom <chewie@wookimus.net>                 | a.k.a. ^chewie
http://www.wookimus.net/                            | s.k.a. gunnarr
Key fingerprint =3D B4AB D627 9CBD 687E 7A31  1950 0CC7 0B18 206C 5AFD


--JYK4vJDZwFMowpUq
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6wYNSDMcLGCBsWv0RAsPDAKCHx3qANEj+iCRQHyF48KHsB5BweQCeJMfb
wrPxUSA4uQl+aBjxbRIFFTY=
=NWEP
-----END PGP SIGNATURE-----

--JYK4vJDZwFMowpUq--