[syslog-ng]Backslash-escaped quotes in message strings
Peter J. Holzer
syslog-ng@lists.balabit.hu
Tue, 11 Nov 2003 10:55:16 +0100
--yNb1oOkm5a9FJOVX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
> Setting the default for 'no' in templates is a security issue when sending
> the template output to a database server (fairly common setup), imagine
> an SQL query like:
>=20
> INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP =
DATABASE logdb');
>=20
> if the quotation mark is not protected by a backslash, the DROP DATABASE
> command will be executed. I think this scenario is less visible to a norm=
al
> user, at least it is more difficult to notice this possibility.
The proper quoting depends on the database, however. For example, Oracle
doesn't recognize a backslash as quoting character:
SQL> insert into foo values('foo\'bar');
ERROR:
ORA-01756: quoted string not properly terminated
you have to double the single quotes:
SQL> insert into foo values('foo''bar');
1 row created.
I think this is also ANSI SQL, the backslash is a mysql extension.
hp
--=20
_ | Peter J. Holzer | We have failed our own creation and given
|_|_) | Sysadmin WSR | birth something truly awful. We're just too
| | | hjp@hjp.at | busy cooing over the pram to notice.
__/ | http://www.hjp.at/ | -- http://www.internetisshit.org
--yNb1oOkm5a9FJOVX
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/sLIEfZ+RkG8quy0RApZ3AJ9u1F55ZR9mMyZqfbVSzRpqPo9pRwCfdtbf
eGy7XXroNdXUTDw5en2uAek=
=5R7H
-----END PGP SIGNATURE-----
--yNb1oOkm5a9FJOVX--