diff --git a/database.php b/database.php
index a3d1d3a..7bdf7ce 100644
--- a/database.php
+++ b/database.php
@@ -72,6 +72,17 @@ function syslog_db_fetch_cell($sql, $col_name = '', $log = TRUE) {
return db_fetch_cell($sql, $col_name, $log, $syslog_cnn);
}
+/* syslog_db_fetch_assoc_prepared - run a 'select' sql query and return all rows found
+ @arg $sql - the sql query to run
+ @arg $params - the parameters to bind to the query
+ @arg $log - whether or not to log the query to the cacti log
+ @returns - the complete result set as an associative array */
+function syslog_db_fetch_assoc_prepared($sql, $params = array(), $log = TRUE) {
+ global $syslog_cnn;
+
+ return db_fetch_assoc_prepared($sql, $params, $log, $syslog_cnn);
+}
+
/* syslog_db_fetch_cell_prepared - run a 'select' sql query and return the first column of the
first row found
@param $sql - the sql query to execute
@@ -128,4 +139,3 @@ function syslog_sql_save($array_items, $table_name, $key_cols = 'id', $autoinc =
global $syslog_cnn;
return sql_save($array_items, $table_name, $key_cols, $autoinc, $syslog_cnn);
}
-
diff --git a/functions.php b/functions.php
index 5c6c7c0..bed0360 100644
--- a/functions.php
+++ b/functions.php
@@ -226,6 +226,12 @@ function syslog_remove_items($table, $uniqueID) {
if (sizeof($rows)) {
foreach($rows as $remove) {
+ /* SQL expressions are legacy, untrusted input and cannot be safely bound
+ * as prepared-statement values. Ignore them rather than executing raw SQL. */
+ if ($remove['type'] == 'sql') {
+ cacti_log('Syslog SQL removal rules are disabled for safety.', false, 'SYSTEM');
+ continue;
+ }
$sql = '';
$sql1 = '';
if ($remove['type'] == 'facility') {
@@ -800,4 +806,3 @@ function syslog_manage_items($from_table, $to_table) {
return array('removed' => $removed, 'xferred' => $xferred);
}
-
diff --git a/setup.php b/setup.php
index e70d620..92d578b 100644
--- a/setup.php
+++ b/setup.php
@@ -928,7 +928,6 @@ function syslog_config_arrays () {
'messagee' => __('Ends with', 'syslog'),
'host' => __('Hostname is', 'syslog'),
'facility' => __('Facility is', 'syslog'),
- 'sql' => __('SQL Expression', 'syslog')
);
$syslog_freqs = array(
@@ -1093,4 +1092,3 @@ function syslog_utilities_list() {
' . (get_request_var('host') != '-2' ? $r['host']:'-') . '';
+ echo '
' . (get_request_var('host') != '-2' ? htmlspecialchars($r['host'], ENT_QUOTES, 'UTF-8'):'-') . ' | ';
echo '' . (get_request_var('facility') != '-2' ? ucfirst($r['facility']):'-') . ' | ';
echo '' . (get_request_var('priority') != '-2' ? ucfirst($r['priority']):'-') . ' | ';
- echo '' . (get_request_var('program') != '-2' ? ucfirst($r['program']):'-') . ' | ';
+ echo '' . (get_request_var('program') != '-2' ? htmlspecialchars(ucfirst($r['program']), ENT_QUOTES, 'UTF-8'):'-') . ' | ';
//echo '' . $r['insert_time'] . ' | ';
echo '' . $time . ' | ';
echo '' . number_format_i18n($r['records'], -1) . ' | ';
@@ -1667,4 +1667,3 @@ function get_ajax_programs($include_any = true, $sql_where = '') {
print json_encode($return);
}
-
diff --git a/syslog_process.php b/syslog_process.php
index 681632b..7d53c8b 100644
--- a/syslog_process.php
+++ b/syslog_process.php
@@ -272,43 +272,56 @@
$smsalert = '';
$th_sql = '';
+ $params = array();
if ($alert['type'] == 'facility') {
$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
- WHERE ' . $syslog_incoming_config['facilityField'] . "='" . $alert['message'] . "'
- AND status=" . $uniqueID;
+ WHERE ' . $syslog_incoming_config['facilityField'] . '=?
+ AND status=?';
+ $params[] = $alert['message'];
+ $params[] = $uniqueID;
} else if ($alert['type'] == 'messageb') {
$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
- WHERE ' . $syslog_incoming_config['textField'] . "
- LIKE '" . $alert['message'] . "%'
- AND status=" . $uniqueID;
+ WHERE ' . $syslog_incoming_config['textField'] . '
+ LIKE ?
+ AND status=?';
+ $params[] = $alert['message'] . '%';
+ $params[] = $uniqueID;
} else if ($alert['type'] == 'messagec') {
$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
- WHERE ' . $syslog_incoming_config['textField'] . "
- LIKE '%" . $alert['message'] . "%'
- AND status=" . $uniqueID;
+ WHERE ' . $syslog_incoming_config['textField'] . '
+ LIKE ?
+ AND status=?';
+ $params[] = '%' . $alert['message'] . '%';
+ $params[] = $uniqueID;
} else if ($alert['type'] == 'messagee') {
$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
- WHERE ' . $syslog_incoming_config['textField'] . "
- LIKE '%" . $alert['message'] . "'
- AND status=" . $uniqueID;
+ WHERE ' . $syslog_incoming_config['textField'] . '
+ LIKE ?
+ AND status=?';
+ $params[] = '%' . $alert['message'];
+ $params[] = $uniqueID;
} else if ($alert['type'] == 'host') {
$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
- WHERE ' . $syslog_incoming_config['hostField'] . "='" . $alert['message'] . "'
- AND status=" . $uniqueID;
+ WHERE ' . $syslog_incoming_config['hostField'] . '=?
+ AND status=?';
+ $params[] = $alert['message'];
+ $params[] = $uniqueID;
} else if ($alert['type'] == 'sql') {
$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
- WHERE (' . $alert['message'] . ')
- AND status=' . $uniqueID;
+ WHERE (?)
+ AND status=?';
+ $params[] = $alert['message'];
+ $params[] = $uniqueID;
}
if ($sql != '') {
if ($alert['method'] == '1') {
$th_sql = str_replace('*', 'count(*)', $sql);
- $count = syslog_db_fetch_cell($th_sql);
+ $count = syslog_db_fetch_cell_prepared($th_sql, $params);
}
if (($alert['method'] == '1' && $count >= $alert['num']) || ($alert['method'] == '0')) {
- $at = syslog_db_fetch_assoc($sql);
+ $at = syslog_db_fetch_assoc_prepared($sql, $params);
/* get a date for the repeat alert */
if ($alert['repeat_alert']) {