SQL Server escape queries

rsalmon · July 26, 2018, 6:45am

Hi all,

I have the following SQL query in a table panel: “SELECT C_SITE FROM SITE WHERE FULLNAMESITE = ‘$Site’”.

With this value “l’hopital de la paie”, I get the following error :

rawSql:“SELECT C_SITE FROM SITE WHERE FULLNAMESITE = ‘l’hopital de la paie’”
response:Object
results:Object
B:Object
message:“mssql: Unclosed quotation mark after the character string ‘’.”

Is it a bug in grafana not escaping variables or is there a way around this ?

Thanks,
Ronan.

rsalmon · July 26, 2018, 6:57am

After digging a bit further, this could be a security issue as I have been able to inject SQL extra code altering my variable :
“l’ UNION SELECT COUNT(*) FROM SITE WHERE 1=1 OR L_FULLNAMESITE = 'hopital de la paie”

rsalmon · August 2, 2018, 7:56am

mefraimsson · August 3, 2018, 12:05pm

Fix wIll be included in Grafana v5.3

Topic		Replies	Views
MSSQL Query Syntax Difference for '' Version 9.2.0 vs 9.1.15 Dashboards query-help	1	343	November 8, 2022
Double single quotes MSSQL templating , mssql	8	3795	May 11, 2023
Grafana 6.6.1 MySQL Variable Trouble Grafana	1	293	August 3, 2021
Variable formatted as regex & MySQL double-escaping of backslashes Configuration templating , mysql	2	2240	July 23, 2021
Template variable with single quote(') being represented as double quote ('') in qurey section templating , mysql	3	8610	April 18, 2020

SQL Server escape queries

Related topics