[syslog-ng] [Bug 83] New: sql (oracle) queries dont escape single quotes

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Wed Jun 2 00:30:25 CEST 2010 

https://bugzilla.balabit.com/show_bug.cgi?id=83

           Summary: sql (oracle) queries dont escape single quotes
           Product: syslog-ng
           Version: 3.1.x
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi at balabit.hu
        ReportedBy: bugzilla.syslogng at feystorm.net
Type of the Report: ---
   Estimated Hours: 0.0


SQL inserts with values containing single quotes dont escape the quotes causing the inserts to fail.

Jun  1 22:08:24 slider syslog-ng.515[20417]: Error running SQL query; type='oracle', host='', port='', user='report_agent', database='oru23', error='1400:
ORA-01400: cannot insert NULL into ("CMS_DBO"."MESSAGE_TRACKING"."MSGID")\x0a', query='INSERT INTO cms_dbo.message_tracking (host, msg_dt, pname, message,
msgid, xid, from_name, from_domain, to_name, to_domain, addr) VALUES (\'iceman.dev.usa.net\', \'2010-06-01 22:08:22\', \'smtad\', \'[4155186080] 000000007  ok
XID: XID007oFawiw8111Xem MsgID: <4C0584D4.50007 at devo0402.dev.usa.net> Dest: cms:gwsin IP: 165.212.101.13 From: <phemmer at devo0402.dev.usa.net> Rcpt:
<phemmer at devo0402.dev.usa.net> Subject: \'\'Re: asdf\'\' Size: 22400 Response: 250 Mail accepted (292oFawiw3072Mem)\', NULL, \'XID007oFawiw8111Xem\',
\'phemmer\', \'devo0402.dev.usa.net\', \'phemmer\', \'devo0402.dev.usa.net\', \'165.212.101.13\')'

The part that is causing the problem is the 'message' field with value:
[4155186080] 000000007  ok XID: XID007oFawiw8111Xem MsgID: <4C0584D4.50007 at devo0402.dev.usa.net> Dest: cms:gwsin IP: 165.212.101.13 From:
<phemmer at devo0402.dev.usa.net> Rcpt: <phemmer at devo0402.dev.usa.net> Subject: ''Re: asdf'' Size: 22400 Response: 250 Mail accepted (292oFawiw3072Mem)

^^that is what is passed in the insert statement. As you can see, there are 2 single-quotes around the subject. The string as it gets passed to syslog-ng is:
...Subject: 'Re: asdf' Size...
So instead of escaping the single quote, it adds another quote.

The afsql.c code calls dbi_conn_quote_string_copy to escape it, but this is obviously failing to do so (and not only fails, but for some reason adds a second
quote.

I'm attempting to find a simple fix for this, but there doesnt appear to be a clean & proper way of doing this. But I'll keep digging as this is a fairly
significant flaw which I have to get fixed before using this in production.


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list