rm5248 commented on PR #204: URL: https://github.com/apache/logging-log4cxx/pull/204#issuecomment-1518445521
My assumption was that the bug that you saw was that the SQL statement was not parsed correctly when you had a `'` character in the log message, since that delineates a string. The proper way to insert stuff into the database is to use the [`SQLBindParameter`](https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlbindparameter-function?view=sql-server-ver16) function in ODBC, so that there won't be any SQL injection and you don't have to worry about quoting the string. So as it stands today I think we do have a SQL injection vulnerability. I don't have a really good idea of how we should change the XML though, maybe something like: ``` <param name="sql" value="INSERT INTO [SomeDatabaseName].[SomeUserName].[SomeTableName] ([Thread],[LogName],[LogTime],[LogLevel],[FileName],[FileLine],[Message]) VALUES (?, ?, ?, ?, ?, ?, ?)" /> <param name="col1" value="%t"/> <param name="col2" value="%c"/> <param name="col3" value="%d{dd MMM yyyy HH:mm:ss.SSS}"/> <param name="col4" value="%p"/> <param name="col5" value="%f"/> <param name="col6" value="%L"/> <param name="col7" value="%m"/> ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
