[syslog-ng]Backslash-escaped quotes in message strings

Peter J. Holzer syslog-ng@lists.balabit.hu
Tue, 11 Nov 2003 10:55:16 +0100

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
> Setting the default for 'no' in templates is a security issue when sending
> the template output to a database server (fairly common setup), imagine
> an SQL query like:
> INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP =
DATABASE logdb');
> if the quotation mark is not protected by a backslash, the DROP DATABASE
> command will be executed. I think this scenario is less visible to a norm=
> user, at least it is more difficult to notice this possibility.

The proper quoting depends on the database, however. For example, Oracle
doesn't recognize a backslash as quoting character:

    SQL> insert into foo values('foo\'bar');
    ORA-01756: quoted string not properly terminated

you have to double the single quotes:

    SQL> insert into foo values('foo''bar');

    1 row created.

I think this is also ANSI SQL, the backslash is a mysql extension.


   _  | Peter J. Holzer    | We have failed our own creation and given
|_|_) | Sysadmin WSR       | birth something truly awful. We're just too
| |   | hjp@hjp.at         | busy cooing over the pram to notice.
__/   | http://www.hjp.at/ |       -- http://www.internetisshit.org

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.7 (GNU/Linux)