[syslog-ng]Backslash-escaped quotes in message strings
Balazs Scheidler
syslog-ng@lists.balabit.hu
Tue, 11 Nov 2003 18:32:01 +0100
On Tue, Nov 11, 2003 at 10:55:16AM +0100, Peter J. Holzer wrote:
> On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
> > Setting the default for 'no' in templates is a security issue when sending
> > the template output to a database server (fairly common setup), imagine
> > an SQL query like:
> >
> > INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb');
> >
> > if the quotation mark is not protected by a backslash, the DROP DATABASE
> > command will be executed. I think this scenario is less visible to a normal
> > user, at least it is more difficult to notice this possibility.
>
> The proper quoting depends on the database, however. For example, Oracle
> doesn't recognize a backslash as quoting character:
>
> SQL> insert into foo values('foo\'bar');
> ERROR:
> ORA-01756: quoted string not properly terminated
>
> you have to double the single quotes:
>
> SQL> insert into foo values('foo''bar');
>
> 1 row created.
>
> I think this is also ANSI SQL, the backslash is a mysql extension.
thanks for the info, I've added a bug ticket to our bugzilla, this will be
added in the future.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1