[syslog-ng]Backslash-escaped quotes in message strings
Peter J. Holzer
Tue, 11 Nov 2003 10:55:16 +0100
Content-Type: text/plain; charset=us-ascii
On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
> Setting the default for 'no' in templates is a security issue when sending
> the template output to a database server (fairly common setup), imagine
> an SQL query like:
> INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP =
> if the quotation mark is not protected by a backslash, the DROP DATABASE
> command will be executed. I think this scenario is less visible to a norm=
> user, at least it is more difficult to notice this possibility.
The proper quoting depends on the database, however. For example, Oracle
doesn't recognize a backslash as quoting character:
SQL> insert into foo values('foo\'bar');
ORA-01756: quoted string not properly terminated
you have to double the single quotes:
SQL> insert into foo values('foo''bar');
1 row created.
I think this is also ANSI SQL, the backslash is a mysql extension.
_ | Peter J. Holzer | We have failed our own creation and given
|_|_) | Sysadmin WSR | birth something truly awful. We're just too
| | | firstname.lastname@example.org | busy cooing over the pram to notice.
__/ | http://www.hjp.at/ | -- http://www.internetisshit.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----