[syslog-ng]Backslash-escaped quotes in message strings

Peter J. Holzer syslog-ng@lists.balabit.hu
Tue, 11 Nov 2003 10:55:16 +0100


--yNb1oOkm5a9FJOVX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
> Setting the default for 'no' in templates is a security issue when sending
> the template output to a database server (fairly common setup), imagine
> an SQL query like:
>=20
> INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP =
DATABASE logdb');
>=20
> if the quotation mark is not protected by a backslash, the DROP DATABASE
> command will be executed. I think this scenario is less visible to a norm=
al
> user, at least it is more difficult to notice this possibility.

The proper quoting depends on the database, however. For example, Oracle
doesn't recognize a backslash as quoting character:

    SQL> insert into foo values('foo\'bar');
    ERROR:
    ORA-01756: quoted string not properly terminated

you have to double the single quotes:

    SQL> insert into foo values('foo''bar');

    1 row created.

I think this is also ANSI SQL, the backslash is a mysql extension.

	hp

--=20
   _  | Peter J. Holzer    | We have failed our own creation and given
|_|_) | Sysadmin WSR       | birth something truly awful. We're just too
| |   | hjp@hjp.at         | busy cooing over the pram to notice.
__/   | http://www.hjp.at/ |       -- http://www.internetisshit.org

--yNb1oOkm5a9FJOVX
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/sLIEfZ+RkG8quy0RApZ3AJ9u1F55ZR9mMyZqfbVSzRpqPo9pRwCfdtbf
eGy7XXroNdXUTDw5en2uAek=
=5R7H
-----END PGP SIGNATURE-----

--yNb1oOkm5a9FJOVX--