From 602e3e9a0b00f299e8fdc2f646fdea1aae6ab20d Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 11:03:35 -0700
Subject: [PATCH 01/16] fix(security): partition correctness, CSV/XSS
 hardening, SQL rule gating

Follow-up to #313. Addresses eight correctness and hardening findings:

- Partition boundary math is now computed as integer epochs in PHP
  (next UTC midnight) and injected as numeric literals. strtotime()
  and UNIX_TIMESTAMP('date-literal') both pulled the PHP/MySQL
  session TZ into UTC-intended math and caused drift at day
  boundaries on non-UTC servers.

- syslog_partition_create() now hard-fails with an error log instead
  of silently warning when SHOW CREATE TABLE does not expose either
  TO_DAYS or UNIX_TIMESTAMP. Silent no-ops caused rotations to stall
  unnoticed. Rewrote str_contains() to strpos() for portability.

- syslog_manage_items() validates $from_table/$to_table against a
  three-value allowlist before interpolation. Defense-in-depth for
  the one caller that currently passes safe literals.

- Alert, removal, and report rule handlers of type sql are gated on
  a new 'syslog_allow_sql_rules' setting (off by default). These
  handlers inline admin-defined SQL into the WHERE clause and
  cannot be parameterised; the previous removal handler also
  emitted invalid syntax ("WHERE message (expr)"). Added a Security
  Settings section to setup.php with a warning description.

- CSV export replaces lossy trim($x, ' =+-@') with a syslog_csv_safe()
  helper that prepends a single quote only when the first character
  is one of =+-@, TAB, CR. Preserves content verbatim while defusing
  spreadsheet formula injection per OWASP guidance.

- Host autocomplete dropdown builds <option> elements via jQuery's
  attr()/text() instead of HTML string concatenation wrapped in
  DOMPurify.sanitize(). DOMPurify does not escape attribute
  delimiters, so a host containing a double quote could still break
  out of the class/value attribute.

- Autocomplete onChange dispatcher enforces a bare-identifier
  whitelist and looks the callback up as a direct window[name]
  property. Rejects dotted paths, arguments, and anything that is
  not a function, with a console.warn. Server side, the three
  initSyslogAutocomplete arguments now go through json_encode()
  instead of single-quote interpolation.

- Ported tests/regression/issue254_partition_table_locking_test.php
  to the new syslog_partition_check/create two-argument signatures
  and extended it to assert the UTC-midnight boundary arithmetic,
  the hard-fail on unknown partition expression, and the
  syslog_manage_items table-name allowlist.

Verification:
- php -l on every touched file
- node -c on js/functions.js
- all eight regression tests in tests/regression/ that pass on
  develop continue to pass; issue254 was restored and passes;
  three pre-existing failures (issue253, issue269 x2) are
  unchanged on develop.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 functions.php                                 | 163 ++++++++---
 js/functions.js                               |  60 +++-
 setup.php                                     |  26 +-
 syslog.php                                    |   2 +-
 .../issue254_partition_table_locking_test.php | 256 ++++++++++++++++++
 5 files changed, 451 insertions(+), 56 deletions(-)
 create mode 100644 tests/regression/issue254_partition_table_locking_test.php

diff --git a/functions.php b/functions.php
index 1e54c13..dcc159a 100644
--- a/functions.php
+++ b/functions.php
@@ -318,10 +318,19 @@ function syslog_partition_create($table, $time = null) {
 		return false;
 	}
 
+	$success = false;
+
 	try {
-		// determine the format of the table name
-		$cformat = 'd' . gmdate('Ymd', $time);
-		$lnow    = gmdate('Y-m-d', strtotime('+1 day', $time));
+		/*
+		 * Boundary arithmetic is done in PHP against the UTC epoch so the
+		 * result is independent of both the PHP and MySQL session time zones.
+		 * $boundary_epoch is the next UTC midnight strictly after $time; it
+		 * becomes the VALUES LESS THAN literal for UNIX_TIMESTAMP partitions
+		 * and the source for the date string passed to TO_DAYS.
+		 */
+		$boundary_epoch = ((int)($time / 86400) + 1) * 86400;
+		$cformat        = 'd' . gmdate('Ymd', $time);
+		$boundary_date  = gmdate('Y-m-d', $boundary_epoch);
 
 		$exists = syslog_db_fetch_row_prepared('SELECT *
 			FROM `information_schema`.`partitions`
@@ -340,30 +349,41 @@ function syslog_partition_create($table, $time = null) {
 			 * MySQL does not support parameter binding for DDL identifiers
 			 * or partition definitions. $table is safe because it passed
 			 * syslog_partition_table_allowed() (two-value allowlist plus
-			 * regex guard). $cformat and $lnow derive from date() and
-			 * contain only digits, hyphens, and the letter 'd'.
+			 * regex guard). $cformat, $boundary_epoch, and $boundary_date
+			 * derive from integer arithmetic and gmdate(), so they contain
+			 * only digits, hyphens, and the letter 'd'.
 			 */
 			$create_syntax = syslog_db_fetch_row("SHOW CREATE TABLE `$syslogdb_default`.`$table`");
 
-			if (cacti_sizeof($create_syntax)) {
-				if (str_contains($create_syntax['Create Table'], 'TO_DAYS')) {
-					syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
-						PARTITION $cformat VALUES LESS THAN (TO_DAYS('$lnow')),
-						PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
-				} else {
-					syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
-						PARTITION $cformat VALUES LESS THAN (UNIX_TIMESTAMP('$lnow')),
-						PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
-				}
+			if (!cacti_sizeof($create_syntax) || empty($create_syntax['Create Table'])) {
+				cacti_log("SYSLOG ERROR: SHOW CREATE TABLE returned no rows for '$table'; partition rotation aborted", false, 'SYSLOG');
+
+				return false;
+			}
+
+			$create_sql = $create_syntax['Create Table'];
+
+			if (strpos($create_sql, 'TO_DAYS') !== false) {
+				syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
+					PARTITION $cformat VALUES LESS THAN (TO_DAYS('$boundary_date')),
+					PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
+			} elseif (strpos($create_sql, 'UNIX_TIMESTAMP') !== false) {
+				syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
+					PARTITION $cformat VALUES LESS THAN ($boundary_epoch),
+					PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
 			} else {
-				cacti_log('WARNING: Unable to determine Partition type for rotation', false, 'SYSLOG');
+				cacti_log("SYSLOG ERROR: Unable to determine partition expression (neither TO_DAYS nor UNIX_TIMESTAMP) for '$table'; rotation aborted", false, 'SYSLOG');
+
+				return false;
 			}
 		}
+
+		$success = true;
 	} finally {
 		syslog_db_fetch_cell_prepared('SELECT RELEASE_LOCK(?)', [$lock_name]);
 	}
 
-	return true;
+	return $success;
 }
 
 /**
@@ -785,6 +805,31 @@ function sql_hosts_where($tab) {
 	}
 }
 
+/**
+ * Defuse CSV formula injection without mutating content.
+ *
+ * Spreadsheet applications (Excel, LibreOffice, Google Sheets) interpret any
+ * cell starting with =, +, -, @, TAB, or CR as a formula. Prepending a
+ * single quote tells them to treat the cell as literal text. The quote is
+ * visible in the cell but does not alter the underlying data, unlike
+ * trimming which loses characters.
+ *
+ * See OWASP CSV Injection Prevention Cheat Sheet.
+ */
+function syslog_csv_safe($value) {
+	if (!is_string($value) || $value === '') {
+		return $value;
+	}
+
+	$first = $value[0];
+
+	if ($first === '=' || $first === '+' || $first === '-' || $first === '@' || $first === "\t" || $first === "\r") {
+		return "'" . $value;
+	}
+
+	return $value;
+}
+
 function syslog_export($tab) {
 	global $syslog_incoming_config, $severities;
 	global $syslogdb_default;
@@ -851,20 +896,20 @@ function syslog_export($tab) {
 				}
 
 				if (isset($hosts[$message['host_id']])) {
-					$host = trim($hosts[$message['host_id']], ' =+-@');
+					$host = $hosts[$message['host_id']];
 				} else {
 					$host = 'Unknown';
 				}
 
-				$logmsg = trim($message[$syslog_incoming_config['textField']], ' =+-@');
+				$logmsg = $message[$syslog_incoming_config['textField']];
 
 				$line = [
-					$host,
-					ucfirst($facility),
-					ucfirst($priority),
-					ucfirst($program),
+					syslog_csv_safe($host),
+					syslog_csv_safe(ucfirst($facility)),
+					syslog_csv_safe(ucfirst($priority)),
+					syslog_csv_safe(ucfirst($program)),
 					$message['logtime'],
-					$logmsg
+					syslog_csv_safe($logmsg)
 				];
 
 				fputcsv($fp, $line);
@@ -894,17 +939,14 @@ function syslog_export($tab) {
 					$severity = 'Unknown';
 				}
 
-				$host   = trim($message['host'], ' =+-@');
-				$logmsg = trim($message['logmsg'], ' =+-@');
-
 				$line = [
-					$message['name'],
-					$severity,
+					syslog_csv_safe($message['name']),
+					syslog_csv_safe($severity),
 					$message['logtime'],
-					$logmsg,
-					$host,
-					ucfirst($message['facility']),
-					ucfirst($message['priority']),
+					syslog_csv_safe($message['logmsg']),
+					syslog_csv_safe($message['host']),
+					syslog_csv_safe(ucfirst($message['facility'])),
+					syslog_csv_safe(ucfirst($message['priority'])),
 					$message['count']
 				];
 
@@ -985,6 +1027,19 @@ function syslog_manage_items($from_table, $to_table) {
 	global $config, $syslog_cnn, $syslog_incoming_config;
 	global $syslogdb_default;
 
+	/*
+	 * Table names are interpolated into DDL/DML below because MySQL does
+	 * not bind identifiers. Reject anything outside the static allowlist
+	 * so a future caller cannot turn this into a SQL injection surface.
+	 */
+	$allowed_tables = ['syslog', 'syslog_incoming', 'syslog_removed'];
+
+	if (!in_array($from_table, $allowed_tables, true) || !in_array($to_table, $allowed_tables, true)) {
+		cacti_log("SYSLOG ERROR: syslog_manage_items called with disallowed tables from='$from_table' to='$to_table'", false, 'SYSLOG');
+
+		return ['removed' => 0, 'xferred' => 0];
+	}
+
 	// Select filters to work on
 	$rows = syslog_db_fetch_assoc("SELECT * FROM `$syslogdb_default`.`syslog_remove` WHERE enabled = 'on'");
 
@@ -1052,12 +1107,25 @@ function syslog_manage_items($from_table, $to_table) {
 						WHERE message LIKE " . db_qstr('%' . $remove['message']);
 				}
 			} elseif ($remove['type'] == 'sql') {
+				/*
+				 * Raw SQL rules are admin-defined expressions interpolated
+				 * into the WHERE clause. They are dangerous by design and
+				 * gated behind an explicit opt-in. The previous syntax
+				 * ("WHERE message (expr)") was also invalid MySQL and could
+				 * never have executed successfully.
+				 */
+				if (read_config_option('syslog_allow_sql_rules') != 'on') {
+					cacti_log("SYSLOG: Skipping SQL removal rule '" . $remove['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
+
+					continue;
+				}
+
 				if ($remove['method'] != 'del') {
 					$sql_sel = "SELECT seq FROM `$syslogdb_default`.`$from_table`
-						WHERE message (" . $remove['message'] . ') ';
+						WHERE (" . $remove['message'] . ')';
 				} else {
 					$sql_dlt = "DELETE FROM `$syslogdb_default`.`$from_table`
-						WHERE message (" . $remove['message'] . ') ';
+						WHERE (" . $remove['message'] . ')';
 				}
 			}
 
@@ -1767,7 +1835,18 @@ function syslog_get_alert_sql(&$alert, $max_seq) {
 		$params[] = $alert['message'];
 		$params[] = $max_seq;
 	} elseif ($alert['type'] == 'sql') {
-		// TODO: Make Injection proof
+		/*
+		 * Raw SQL alert expressions are admin-defined fragments inlined
+		 * into the WHERE clause. They cannot be parameterised and are
+		 * gated behind an explicit opt-in. When disabled, the alert is
+		 * skipped rather than silently matching everything.
+		 */
+		if (read_config_option('syslog_allow_sql_rules') != 'on') {
+			cacti_log("SYSLOG: Skipping SQL alert '" . $alert['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
+
+			return [];
+		}
+
 		$sql = "SELECT *
 			FROM `$syslogdb_default`.`syslog_incoming`
 			WHERE ({$alert['message']})
@@ -2374,6 +2453,18 @@ function syslog_get_report_sql(&$report) {
 	}
 
 	if ($report['type'] == 'sql') {
+		/*
+		 * Raw SQL report expressions are admin-defined fragments inlined
+		 * into the WHERE clause. They cannot be parameterised and are
+		 * gated behind an explicit opt-in. When disabled, the report is
+		 * skipped rather than silently returning every row.
+		 */
+		if (read_config_option('syslog_allow_sql_rules') != 'on') {
+			cacti_log("SYSLOG: Skipping SQL report '" . $report['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
+
+			return '';
+		}
+
 		$sql = "SELECT *
 			FROM `$syslogdb_default`.`syslog`
 			WHERE (" . $report['message'] . ')';
diff --git a/js/functions.js b/js/functions.js
index 81fb2e5..df0c8f1 100644
--- a/js/functions.js
+++ b/js/functions.js
@@ -224,8 +224,13 @@ function initSyslogMain(config) {
 							});
 
 							$.each(data, function(index, hostData) {
-								if ($('#host option[value="'+index+'"]').length == 0) {
-									$('#host').append('<option class="'+DOMPurify.sanitize(hostData.class)+'" value="'+DOMPurify.sanitize(index)+'">'+DOMPurify.sanitize(hostData.host)+'</option>');
+								if ($('#host').find('option').filter(function() { return $(this).val() === String(index); }).length == 0) {
+									// jQuery attr/text handle escaping; string concat + DOMPurify leaves attribute quotes unescaped.
+									$('<option>')
+										.attr('value', index)
+										.attr('class', hostData.class)
+										.text(hostData.host)
+										.appendTo('#host');
 								}
 							});
 
@@ -580,16 +585,48 @@ function initSyslogReports() {
  * Autocomplete Form Callback Functions
  * ======================================================================== */
 
-function syslogExecuteFunctionByName(functionName, context /*, args */) {
-	var args       = Array.prototype.slice.call(arguments, 2);
-	var namespaces = functionName.split('.');
-	var func       = namespaces.pop();
+/**
+ * Invoke a whitelisted callback by bare identifier.
+ *
+ * Only accepts a simple identifier ([A-Za-z_$][A-Za-z0-9_$]*). Dotted
+ * paths, arguments, and non-identifier characters are rejected so an
+ * attacker who controls an onChange string cannot reach arbitrary
+ * globals (eval, Function, fetch, ...). If the callback is unknown or
+ * not a function, the call is skipped with a console warning.
+ */
+function syslogInvokeCallback(functionName) {
+	if (typeof functionName !== 'string') {
+		return;
+	}
+
+	var trimmed = functionName.trim();
+
+	// Strip a trailing "()" if present; many callers historically pass "name()".
+	var parenStart = trimmed.indexOf('(');
+
+	if (parenStart !== -1) {
+		trimmed = trimmed.substring(0, parenStart).trim();
+	}
+
+	if (!/^[A-Za-z_$][A-Za-z0-9_$]*$/.test(trimmed)) {
+		if (window.console && console.warn) {
+			console.warn('syslog: refusing to invoke non-identifier callback', functionName);
+		}
+
+		return;
+	}
+
+	var fn = window[trimmed];
 
-	for(var i = 0; i < namespaces.length; i++) {
-		context = context[namespaces[i]];
+	if (typeof fn !== 'function') {
+		if (window.console && console.warn) {
+			console.warn('syslog: callback is not a function', trimmed);
+		}
+
+		return;
 	}
 
-	return context[func].apply(context, args);
+	return fn();
 }
 
 /**
@@ -619,10 +656,7 @@ function initSyslogAutocomplete(formName, callback, onChange) {
 
 				if (onChange) {
 					$(this).autocomplete('close');
-
-					onChange = onChange.replace('(', '').replace(')', '');
-
-					syslogExecuteFunctionByName(onChange, window);
+					syslogInvokeCallback(onChange);
 				}
 			}
 		}).css('border', 'none').css('background-color', 'transparent');
diff --git a/setup.php b/setup.php
index 6fe9f52..1f7d3a9 100644
--- a/setup.php
+++ b/setup.php
@@ -463,18 +463,22 @@ function syslog_create_partitioned_syslog_table($engine = 'InnoDB', $days = 30)
 
 	$parts = '';
 
+	/*
+	 * Partition boundaries are integer epochs computed in PHP and injected
+	 * as numeric literals. This keeps both MySQL and PHP session time zones
+	 * out of the equation: the boundary is always the next UTC midnight
+	 * after the labeled day.
+	 */
 	for ($i = $days; $i >= -1; $i--) {
-		$timestamp = $now - ($i * 86400);
-		$date      = gmdate('Y-m-d', $timestamp);
-		$format    = gmdate('Ymd', strtotime('- 1 day', $timestamp));
+		$day_epoch      = $now - ($i * 86400);
+		$boundary_epoch = ((int)($day_epoch / 86400) + 1) * 86400;
+		$format         = gmdate('Ymd', $day_epoch);
 
-		$parts .= ($parts != '' ? ",\n" : '(') . ' PARTITION d' . $format . " VALUES LESS THAN (UNIX_TIMESTAMP('" . $date . "'))";
+		$parts .= ($parts != '' ? ",\n" : '(') . ' PARTITION d' . $format . ' VALUES LESS THAN (' . $boundary_epoch . ')';
 	}
 
 	$parts .= ",\nPARTITION dMaxValue VALUES LESS THAN MAXVALUE);";
 
-	//cacti_log($sql . $parts);
-
 	syslog_db_execute($sql . $parts);
 }
 
@@ -1259,6 +1263,16 @@ function syslog_config_settings() {
 			'method'        => 'checkbox',
 			'default'       => ''
 		],
+		'syslog_security_header' => [
+			'friendly_name' => __('Security Settings', 'syslog'),
+			'method'        => 'spacer',
+		],
+		'syslog_allow_sql_rules' => [
+			'friendly_name' => __('Allow SQL-type Rules', 'syslog'),
+			'description'   => __('When enabled, Alert, Removal, and Report rules of type SQL will execute their raw SQL fragments as WHERE clauses. These rules are inlined into queries and cannot be parameterised, so a rule author can run arbitrary SQL against the Syslog database. Leave this disabled unless you understand the impact and trust every user who can edit rules.', 'syslog'),
+			'method'        => 'checkbox',
+			'default'       => ''
+		],
 	];
 
 	if (isset($settings['syslog'])) {
diff --git a/syslog.php b/syslog.php
index 0d1c45c..08a7ac7 100644
--- a/syslog.php
+++ b/syslog.php
@@ -2136,7 +2136,7 @@ function syslog_form_callback($form_name, $classic_sql, $column_display, $column
 		}
 		</style>
 		<script type='text/javascript'>
-		initSyslogAutocomplete('<?php print $form_name; ?>', '<?php print $callback; ?>', '<?php print $on_change; ?>');
+		initSyslogAutocomplete(<?php print json_encode($form_name); ?>, <?php print json_encode($callback); ?>, <?php print json_encode($on_change); ?>);
 		</script>
 		<?php
 	}
diff --git a/tests/regression/issue254_partition_table_locking_test.php b/tests/regression/issue254_partition_table_locking_test.php
new file mode 100644
index 0000000..fc5e1f6
--- /dev/null
+++ b/tests/regression/issue254_partition_table_locking_test.php
@@ -0,0 +1,256 @@
+<?php
+
+/*
+ * Regression guard for issue #254 (partition table locking) and the
+ * partition-boundary correctness fixes from the PR #313 follow-up.
+ *
+ * Static analysis: greps functions.php for safety invariants that must hold
+ * regardless of how the rotation logic is refactored. Updated to track the
+ * two-argument signatures introduced in PR #313 (syslog_partition_check and
+ * syslog_partition_create each accept an optional $time parameter).
+ */
+
+$functions = file_get_contents(dirname(__DIR__, 2) . '/functions.php');
+
+if ($functions === false) {
+	fwrite(STDERR, "Failed to load functions.php\n");
+	exit(1);
+}
+
+/* All three information_schema queries must be prepared statements
+ * scoped to the requested table via a placeholder. Match only calls
+ * whose first argument contains 'information_schema' to exclude the
+ * GET_LOCK / RELEASE_LOCK uses of syslog_db_fetch_cell_prepared. */
+$partition_query_count = preg_match_all('/syslog_db_fetch_(?:row|assoc|cell)_prepared\s*\([^)]*information_schema/', $functions);
+
+if ($partition_query_count === false || $partition_query_count !== 3) {
+	fwrite(STDERR, "Partition queries are not consistently scoped to the requested table.\n");
+	exit(1);
+}
+
+if (!preg_match('/SELECT\s+GET_LOCK\s*\(\s*\?\s*,\s*10\s*\)/', $functions)) {
+	fwrite(STDERR, "Partition create lock acquisition is missing.\n");
+	exit(1);
+}
+
+if (!preg_match('/SELECT\s+RELEASE_LOCK\s*\(\s*\?\s*\)/', $functions)) {
+	fwrite(STDERR, "Partition create lock release is missing.\n");
+	exit(1);
+}
+
+if (!preg_match('/function\s+syslog_partition_table_allowed\s*\(/', $functions)) {
+	fwrite(STDERR, "Partition table validation helper is missing.\n");
+	exit(1);
+}
+
+// RELEASE_LOCK must appear inside a finally block, not just anywhere in the function.
+if (!preg_match('/finally\s*\{[^}]*RELEASE_LOCK/s', $functions)) {
+	fwrite(STDERR, "RELEASE_LOCK is not inside a finally block; lock may be held on exception.\n");
+	exit(1);
+}
+
+// The allowlist must be exactly the two known partition tables, nothing else.
+if (!preg_match("/in_array\(\s*\\\$table\s*,\s*(?:array\s*\(\s*'syslog'\s*,\s*'syslog_removed'\s*\)|\[\s*'syslog'\s*,\s*'syslog_removed'\s*\])\s*,\s*true\s*\)/", $functions)) {
+	fwrite(STDERR, "syslog_partition_table_allowed allowlist is not exactly ['syslog', 'syslog_removed'].\n");
+	exit(1);
+}
+
+// syslog_partition_check must return false in its guard clause for disallowed tables.
+// Signature may be ($table) or ($table, $time = null).
+if (!preg_match('/function\s+syslog_partition_check\s*\(\s*\$table(?:\s*,\s*\$time[^)]*)?\s*\)\s*\{(.{0,600})/s', $functions, $m_check)) {
+	fwrite(STDERR, "syslog_partition_check function not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/!syslog_partition_table_allowed[^}]*return\s+false/s', $m_check[1])) {
+	fwrite(STDERR, "syslog_partition_check does not return false for disallowed tables.\n");
+	exit(1);
+}
+
+// syslog_partition_remove must return 0 in its guard clause for disallowed tables.
+if (!preg_match('/function\s+syslog_partition_remove\s*\(\s*\$table\s*\)\s*\{(.{0,400})/s', $functions, $m_remove)) {
+	fwrite(STDERR, "syslog_partition_remove function not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/!syslog_partition_table_allowed[^}]*return\s+0/s', $m_remove[1])) {
+	fwrite(STDERR, "syslog_partition_remove does not return 0 for disallowed tables.\n");
+	exit(1);
+}
+
+// syslog_partition_remove's information_schema query must bind table_name via placeholder.
+if (!preg_match('/function\s+syslog_partition_remove\s*\(\s*\$table\s*\)\s*\{(.{0,1800})/s', $functions, $m_remove_full)) {
+	fwrite(STDERR, "syslog_partition_remove function body not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/syslog_db_fetch_(?:row|assoc|cell)_prepared[^)]*information_schema[^)]*table_name\s*=\s*\?/s', $m_remove_full[1])) {
+	fwrite(STDERR, "syslog_partition_remove information_schema query is not scoped to table_name via placeholder.\n");
+	exit(1);
+}
+
+// ---- Allowlist acceptance / rejection tests ----
+
+// The allowlist function must reject values not in the list by returning false.
+if (!preg_match('/function\s+syslog_partition_table_allowed\s*\(\s*\$table\s*\)\s*\{(.{0,600})/s', $functions, $m_allowed)) {
+	fwrite(STDERR, "syslog_partition_table_allowed function not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/return\s+false/', $m_allowed[1])) {
+	fwrite(STDERR, "syslog_partition_table_allowed does not explicitly return false for non-members.\n");
+	exit(1);
+}
+
+// Defense-in-depth: the allowlist function must include a regex guard for safe identifiers.
+if (!preg_match('/preg_match.*\[a-z_\]/', $m_allowed[1])) {
+	fwrite(STDERR, "syslog_partition_table_allowed is missing regex defense-in-depth guard.\n");
+	exit(1);
+}
+
+// ---- Lock name must be scoped to both database and table ----
+
+if (!preg_match('/hash\s*\(\s*[\'"]sha256[\'"]\s*,\s*\$syslogdb_default\s*\.\s*[\'"][^"\']*[\'"]\s*\.\s*\$table\s*\)/', $functions)) {
+	fwrite(STDERR, "Lock name hash does not include both database and table.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_remove must log when called with a disallowed table ----
+
+if (!preg_match('/function\s+syslog_partition_remove\s*\(\s*\$table\s*\)\s*\{(.{0,600})/s', $functions, $m_remove_log)) {
+	fwrite(STDERR, "syslog_partition_remove function not found for log check.\n");
+	exit(1);
+}
+
+if (!preg_match('/!syslog_partition_table_allowed.*cacti_log.*disallowed.*return\s+0/s', $m_remove_log[1])) {
+	fwrite(STDERR, "syslog_partition_remove does not log a warning for disallowed tables.\n");
+	exit(1);
+}
+
+// ---- DDL safety comment must exist near ALTER TABLE in syslog_partition_create ----
+
+if (!preg_match('/MySQL does not support parameter binding for DDL/', $functions)) {
+	fwrite(STDERR, "Missing DDL safety comment in syslog_partition_create.\n");
+	exit(1);
+}
+
+// ---- No raw (non-prepared) information_schema partition queries may exist ----
+
+$raw_partition_queries = preg_match_all('/syslog_db_fetch_(?:row|assoc|cell)\s*\([^)]*information_schema/', $functions);
+
+if ($raw_partition_queries !== false && $raw_partition_queries > 0) {
+	fwrite(STDERR, "Found $raw_partition_queries raw (non-prepared) information_schema partition queries; all must use _prepared.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_remove must also use GET_LOCK / RELEASE_LOCK in a finally block ----
+
+if (!preg_match('/function\s+syslog_partition_remove\s*\(\s*\$table\s*\)\s*\{(.{0,2500})\n\}/s', $functions, $m_remove_lock)) {
+	fwrite(STDERR, "syslog_partition_remove function body not found for lock check.\n");
+	exit(1);
+}
+
+if (!preg_match('/GET_LOCK/', $m_remove_lock[1])) {
+	fwrite(STDERR, "syslog_partition_remove does not acquire a lock before ALTER TABLE.\n");
+	exit(1);
+}
+
+if (!preg_match('/finally\s*\{[^}]*RELEASE_LOCK/s', $m_remove_lock[1])) {
+	fwrite(STDERR, "syslog_partition_remove does not release its lock in a finally block.\n");
+	exit(1);
+}
+
+// ---- Lock names must differ between create and remove (per-operation scoping) ----
+
+if (!preg_match('/syslog_partition_create\.\'\s*\.\s*\$table/', $functions)) {
+	fwrite(STDERR, "syslog_partition_create lock name does not include function scope.\n");
+	exit(1);
+}
+
+if (!preg_match('/syslog_partition_remove\.\'\s*\.\s*\$table/', $functions)) {
+	fwrite(STDERR, "syslog_partition_remove lock name does not include function scope.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_create must return early (no DDL) when allowlist fails ----
+// Signature may be ($table) or ($table, $time = null).
+if (!preg_match('/function\s+syslog_partition_create\s*\(\s*\$table(?:\s*,\s*\$time[^)]*)?\s*\)\s*\{(.{0,400})/s', $functions, $m_create_guard)) {
+	fwrite(STDERR, "syslog_partition_create function not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/!syslog_partition_table_allowed[^}]*return\s+false;/s', $m_create_guard[1])) {
+	fwrite(STDERR, "syslog_partition_create does not return early for disallowed tables.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_check must use _prepared for info_schema ----
+
+if (!preg_match('/function\s+syslog_partition_check\s*\(\s*\$table(?:\s*,\s*\$time[^)]*)?\s*\)\s*\{(.{0,1200})/s', $functions, $m_check_prep)) {
+	fwrite(STDERR, "syslog_partition_check function not found for _prepared check.\n");
+	exit(1);
+}
+
+if (!preg_match('/syslog_db_fetch_cell_prepared[^)]*information_schema[^)]*table_name\s*=\s*\?/s', $m_check_prep[1])) {
+	fwrite(STDERR, "syslog_partition_check does not use _prepared with table_name placeholder.\n");
+	exit(1);
+}
+
+// ---- Partition boundary must be computed in PHP, not via strtotime/UNIX_TIMESTAMP('date') ----
+
+// Isolate the syslog_partition_create function body for partition-specific checks.
+$create_start = strpos($functions, 'function syslog_partition_create');
+
+if ($create_start === false) {
+	fwrite(STDERR, "Could not locate syslog_partition_create.\n");
+	exit(1);
+}
+
+$create_end = strpos($functions, 'function syslog_partition_remove', $create_start);
+
+if ($create_end === false) {
+	fwrite(STDERR, "Could not locate syslog_partition_remove to bound syslog_partition_create.\n");
+	exit(1);
+}
+
+$create_body = substr($functions, $create_start, $create_end - $create_start);
+
+// strtotime() mixes PHP's local time zone into UTC-intended math. Forbid it inside partition code.
+if (preg_match('/strtotime\s*\(/', $create_body)) {
+	fwrite(STDERR, "syslog_partition_create must not call strtotime(); partition math should be integer arithmetic.\n");
+	exit(1);
+}
+
+// UNIX_TIMESTAMP('YYYY-MM-DD') interprets the literal in the MySQL session TZ.
+// Boundaries must be integer literals computed in PHP instead.
+if (preg_match("/UNIX_TIMESTAMP\s*\(\s*'/", $create_body)) {
+	fwrite(STDERR, "syslog_partition_create must not pass a date literal to UNIX_TIMESTAMP(); compute the epoch in PHP.\n");
+	exit(1);
+}
+
+// The boundary computation must be explicit (next UTC midnight).
+if (!preg_match('/\(\(int\)\(\$time\s*\/\s*86400\)\s*\+\s*1\)\s*\*\s*86400/', $create_body)) {
+	fwrite(STDERR, "syslog_partition_create is missing the UTC-midnight boundary epoch computation.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_create must hard-fail when the partition expression cannot be detected ----
+
+if (!preg_match('/SHOW CREATE TABLE.*Unable to determine partition expression/s', $functions)) {
+	fwrite(STDERR, "syslog_partition_create does not hard-fail on unknown partition expression.\n");
+	exit(1);
+}
+
+// ---- syslog_manage_items must validate $from_table and $to_table against an allowlist ----
+
+if (!preg_match('/function\s+syslog_manage_items\s*\(\s*\$from_table\s*,\s*\$to_table\s*\)\s*\{(.{0,1000})/s', $functions, $m_manage)) {
+	fwrite(STDERR, "syslog_manage_items function not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/in_array\s*\(\s*\$from_table.*in_array\s*\(\s*\$to_table/s', $m_manage[1])) {
+	fwrite(STDERR, "syslog_manage_items does not validate from_table/to_table against an allowlist.\n");
+	exit(1);
+}
+
+print "issue254_partition_table_locking_test passed\n";

From e24b58a76c11383f5cff2d820f3748df9625005d Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 11:14:30 -0700
Subject: [PATCH 02/16] fix(security): validate $time input in
 syslog_partition_create

Addresses code review feedback on the PR #313 follow-up. The boundary
epoch calculation ((int)($time / 86400) + 1) * 86400 assumes a
non-negative UTC timestamp; non-numeric or pre-epoch values would
silently underflow. Reject them at function entry with a logged error
and a false return, matching the other guard clauses in the function.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 functions.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/functions.php b/functions.php
index dcc159a..4e10260 100644
--- a/functions.php
+++ b/functions.php
@@ -295,6 +295,17 @@ function syslog_partition_create($table, $time = null) {
 		$time = time() + 3600;
 	}
 
+	// Reject non-numeric or pre-epoch timestamps; boundary math assumes a
+	// non-negative UTC epoch so negative or bogus inputs cannot underflow
+	// the (int)($time / 86400) + 1 computation below.
+	if (!is_numeric($time) || (int)$time < 0) {
+		cacti_log("SYSLOG ERROR: syslog_partition_create called with invalid time '$time' for table '$table'", false, 'SYSLOG');
+
+		return false;
+	}
+
+	$time = (int)$time;
+
 	// Hash to guarantee the lock name stays within MySQL's 64-byte limit.
 	$lock_name = substr(hash('sha256', $syslogdb_default . '.syslog_partition_create.' . $table), 0, 60);
 

From 8254edb36cfa74c82b1231d42dec557e0e159592 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 11:19:45 -0700
Subject: [PATCH 03/16] fix(security): gate syslog_remove_items SQL-type
 removal rules

Addresses a fourth type=sql path missed in the initial follow-up.
syslog_remove_items() at functions.php:654 also inlined the admin
rule message into the WHERE clause. Apply the same
syslog_allow_sql_rules opt-in that already gates syslog_manage_items,
syslog_get_alert_sql, and syslog_get_report_sql. When the setting is
off, the rule is skipped with a log entry naming the rule.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 functions.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/functions.php b/functions.php
index 4e10260..55c9011 100644
--- a/functions.php
+++ b/functions.php
@@ -652,6 +652,12 @@ function syslog_remove_items($table, $max_seq) {
 					$params[]  = '%' . $remove['message'];
 				}
 			} elseif ($remove['type'] == 'sql') {
+				if (read_config_option('syslog_allow_sql_rules') != 'on') {
+					cacti_log("SYSLOG: Skipping SQL removal rule '" . $remove['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
+
+					continue;
+				}
+
 				if ($table == 'syslog_incoming') {
 					$sql_where = 'WHERE (' . $remove['message'] . ')
 						AND `status` = 1

From aa5c6c8d9920b1d960ef64f48a207c84817e4c22 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 11:28:56 -0700
Subject: [PATCH 04/16] fix(security): address code review on PR #315

- syslog_partition_manage now gates syslog_partition_remove on the
  return value of syslog_partition_create. Previously a hard failure
  in create would still drop the oldest partition on every poller
  cycle, with no replacement, because remove ran unconditionally.

- syslog_alerts.php and syslog_reports.php refuse to save a type=sql
  rule when 'syslog_allow_sql_rules' is off and raise an admin-visible
  error message naming the setting to flip. The previous empty-result
  fallback displayed a generic "SQL was invalid" error that pointed
  editors at the wrong problem.

- syslog.php now passes JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS |
  JSON_HEX_QUOT to json_encode() for the initSyslogAutocomplete
  arguments. Defense-in-depth so a future tainted value cannot close
  the <script> block.

- syslog_csv_safe strips leading spaces (not tabs or CRs) before
  checking the first character, so " =SUM(A1)" is prefixed while
  leading tab and CR remain detectable as triggers themselves.

- syslog_debug prints H:i:s instead of H:m:s (was printing month
  where minutes should be).

- Regression test tightens the syslog_manage_items allowlist check
  to match the exact allowlist literal and the fail-closed return
  shape. Added a guard that syslog_partition_manage wraps
  syslog_partition_remove in an if on syslog_partition_create's
  return value.

- New tests/regression/issue315_csv_safe_unit_test.php extracts
  syslog_csv_safe via source and exercises empty/null/int/benign
  inputs, every trigger character, leading-space variants, mid-string
  occurrences, and the already-escaped case.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 functions.php                                 | 31 ++++++--
 syslog.php                                    |  7 +-
 syslog_alerts.php                             |  6 ++
 syslog_reports.php                            |  6 ++
 .../issue254_partition_table_locking_test.php | 49 ++++++++++++-
 .../issue315_csv_safe_unit_test.php           | 70 +++++++++++++++++++
 6 files changed, 159 insertions(+), 10 deletions(-)
 create mode 100644 tests/regression/issue315_csv_safe_unit_test.php

diff --git a/functions.php b/functions.php
index 55c9011..e0bd72c 100644
--- a/functions.php
+++ b/functions.php
@@ -241,14 +241,23 @@ function syslog_partition_manage() {
 	// Always create the partition an hour ahead of time
 	$time = time() + 3600;
 
+	/*
+	 * Only run the retention prune when the new partition was created
+	 * successfully. Otherwise a hard failure in syslog_partition_create
+	 * (unknown partition expression, empty SHOW CREATE, invalid $time)
+	 * would combine with syslog_partition_remove to silently drop old
+	 * partitions on every poller cycle without adding a replacement.
+	 */
 	if (syslog_partition_check('syslog', $time)) {
-		syslog_partition_create('syslog', $time);
-		$syslog_deleted = syslog_partition_remove('syslog');
+		if (syslog_partition_create('syslog', $time)) {
+			$syslog_deleted = syslog_partition_remove('syslog');
+		}
 	}
 
 	if (syslog_partition_check('syslog_removed', $time)) {
-		syslog_partition_create('syslog_removed', $time);
-		$syslog_deleted += syslog_partition_remove('syslog_removed');
+		if (syslog_partition_create('syslog_removed', $time)) {
+			$syslog_deleted += syslog_partition_remove('syslog_removed');
+		}
 	}
 
 	return $syslog_deleted;
@@ -838,7 +847,17 @@ function syslog_csv_safe($value) {
 		return $value;
 	}
 
-	$first = $value[0];
+	// Some CSV importers strip leading spaces before parsing as a
+	// formula, so " =SUM(A1)" is still dangerous. Only strip literal
+	// spaces here; tabs and carriage returns are themselves triggers
+	// and must remain detectable as the first character.
+	$stripped = ltrim($value, ' ');
+
+	if ($stripped === '') {
+		return $value;
+	}
+
+	$first = $stripped[0];
 
 	if ($first === '=' || $first === '+' || $first === '-' || $first === '@' || $first === "\t" || $first === "\r") {
 		return "'" . $value;
@@ -979,7 +998,7 @@ function syslog_debug($message) {
 	global $debug;
 
 	if ($debug) {
-		print date('H:m:s') . ' SYSLOG DEBUG: ' . trim($message) . PHP_EOL;
+		print date('H:i:s') . ' SYSLOG DEBUG: ' . trim($message) . PHP_EOL;
 	}
 }
 
diff --git a/syslog.php b/syslog.php
index 08a7ac7..4b67bf0 100644
--- a/syslog.php
+++ b/syslog.php
@@ -2135,8 +2135,13 @@ function syslog_form_callback($form_name, $classic_sql, $column_display, $column
 			white-space: normal !important;
 		}
 		</style>
+		<?php
+		// JSON_HEX_TAG escapes </script>; the other flags block HTML context
+		// escapes if the script block ever runs under unusual content types.
+		$js_flags = JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT;
+		?>
 		<script type='text/javascript'>
-		initSyslogAutocomplete(<?php print json_encode($form_name); ?>, <?php print json_encode($callback); ?>, <?php print json_encode($on_change); ?>);
+		initSyslogAutocomplete(<?php print json_encode($form_name, $js_flags); ?>, <?php print json_encode($callback, $js_flags); ?>, <?php print json_encode($on_change, $js_flags); ?>);
 		</script>
 		<?php
 	}
diff --git a/syslog_alerts.php b/syslog_alerts.php
index 5beacd9..0c9d730 100644
--- a/syslog_alerts.php
+++ b/syslog_alerts.php
@@ -290,6 +290,12 @@ function api_syslog_alert_save($id, $name, $method, $level, $num, $type, $messag
 	$id = 0;
 
 	if (!is_error_message()) {
+		if ($save['type'] == 'sql' && read_config_option('syslog_allow_sql_rules') != 'on') {
+			raise_message('sql_disabled', __('SQL-type rules are disabled. Enable "Allow SQL-type Rules" under Console > Configuration > Settings > Syslog > Security Settings before saving this rule.', 'syslog'), MESSAGE_LEVEL_ERROR);
+
+			return false;
+		}
+
 		$sql = syslog_get_alert_sql($save, 100);
 
 		if (cacti_sizeof($sql)) {
diff --git a/syslog_reports.php b/syslog_reports.php
index 048fbc8..d040f14 100644
--- a/syslog_reports.php
+++ b/syslog_reports.php
@@ -281,6 +281,12 @@ function api_syslog_report_save($id, $name, $type, $message, $timespan, $timepar
 	$id = 0;
 
 	if (!is_error_message()) {
+		if ($save['type'] == 'sql' && read_config_option('syslog_allow_sql_rules') != 'on') {
+			raise_message('sql_disabled', __('SQL-type rules are disabled. Enable "Allow SQL-type Rules" under Console > Configuration > Settings > Syslog > Security Settings before saving this rule.', 'syslog'), MESSAGE_LEVEL_ERROR);
+
+			return false;
+		}
+
 		$sql = syslog_get_alert_sql($save, 100);
 
 		if (cacti_sizeof($sql)) {
diff --git a/tests/regression/issue254_partition_table_locking_test.php b/tests/regression/issue254_partition_table_locking_test.php
index fc5e1f6..a2a810c 100644
--- a/tests/regression/issue254_partition_table_locking_test.php
+++ b/tests/regression/issue254_partition_table_locking_test.php
@@ -241,15 +241,58 @@
 	exit(1);
 }
 
+// ---- syslog_partition_manage must gate syslog_partition_remove on syslog_partition_create's return ----
+
+$manage_start = strpos($functions, 'function syslog_partition_manage');
+
+if ($manage_start === false) {
+	fwrite(STDERR, "Could not locate syslog_partition_manage.\n");
+	exit(1);
+}
+
+$manage_end = strpos($functions, 'function syslog_partition_table_allowed', $manage_start);
+
+if ($manage_end === false) {
+	fwrite(STDERR, "Could not bound syslog_partition_manage.\n");
+	exit(1);
+}
+
+$manage_body = substr($functions, $manage_start, $manage_end - $manage_start);
+
+// The remove() call must be inside an if that checks create()'s return.
+if (!preg_match('/if\s*\(\s*syslog_partition_create\s*\(\s*\'syslog\'\s*,[^)]*\)\s*\)\s*\{\s*\$syslog_deleted\s*=\s*syslog_partition_remove\s*\(\s*\'syslog\'\s*\)/s', $manage_body)) {
+	fwrite(STDERR, "syslog_partition_manage does not gate syslog_partition_remove('syslog') on syslog_partition_create's return value.\n");
+	exit(1);
+}
+
+if (!preg_match('/if\s*\(\s*syslog_partition_create\s*\(\s*\'syslog_removed\'\s*,[^)]*\)\s*\)\s*\{\s*\$syslog_deleted\s*\+\=\s*syslog_partition_remove\s*\(\s*\'syslog_removed\'\s*\)/s', $manage_body)) {
+	fwrite(STDERR, "syslog_partition_manage does not gate syslog_partition_remove('syslog_removed') on syslog_partition_create's return value.\n");
+	exit(1);
+}
+
 // ---- syslog_manage_items must validate $from_table and $to_table against an allowlist ----
 
-if (!preg_match('/function\s+syslog_manage_items\s*\(\s*\$from_table\s*,\s*\$to_table\s*\)\s*\{(.{0,1000})/s', $functions, $m_manage)) {
+if (!preg_match('/function\s+syslog_manage_items\s*\(\s*\$from_table\s*,\s*\$to_table\s*\)\s*\{(.{0,800})/s', $functions, $m_manage)) {
 	fwrite(STDERR, "syslog_manage_items function not found.\n");
 	exit(1);
 }
 
-if (!preg_match('/in_array\s*\(\s*\$from_table.*in_array\s*\(\s*\$to_table/s', $m_manage[1])) {
-	fwrite(STDERR, "syslog_manage_items does not validate from_table/to_table against an allowlist.\n");
+$manage_head = $m_manage[1];
+
+// The allowlist literal must appear explicitly in the guard block.
+if (!preg_match("/\\\$allowed_tables\s*=\s*\[\s*'syslog'\s*,\s*'syslog_incoming'\s*,\s*'syslog_removed'\s*\]/", $manage_head)) {
+	fwrite(STDERR, "syslog_manage_items does not declare the expected \$allowed_tables literal.\n");
+	exit(1);
+}
+
+// Both $from_table and $to_table must be checked with in_array against the allowlist, and the guard must fail closed.
+if (!preg_match('/!in_array\(\$from_table,\s*\$allowed_tables,\s*true\).*!in_array\(\$to_table,\s*\$allowed_tables,\s*true\)/s', $manage_head)) {
+	fwrite(STDERR, "syslog_manage_items does not check both \$from_table and \$to_table with in_array(..., true).\n");
+	exit(1);
+}
+
+if (!preg_match("/return\s*\[\s*'removed'\s*=>\s*0\s*,\s*'xferred'\s*=>\s*0\s*\]/", $manage_head)) {
+	fwrite(STDERR, "syslog_manage_items guard does not fail closed with ['removed' => 0, 'xferred' => 0].\n");
 	exit(1);
 }
 
diff --git a/tests/regression/issue315_csv_safe_unit_test.php b/tests/regression/issue315_csv_safe_unit_test.php
new file mode 100644
index 0000000..d10a829
--- /dev/null
+++ b/tests/regression/issue315_csv_safe_unit_test.php
@@ -0,0 +1,70 @@
+<?php
+
+/*
+ * Unit coverage for syslog_csv_safe(). Extracts the function source from
+ * functions.php and evals a renamed copy so this test does not collide
+ * with the rest of functions.php (which defines many dependencies like
+ * syslog_debug that conflict with test-time stubs).
+ */
+
+$functions = file_get_contents(dirname(__DIR__, 2) . '/functions.php');
+
+if ($functions === false) {
+	fwrite(STDERR, "Failed to load functions.php\n");
+	exit(1);
+}
+
+if (!preg_match('/function\s+syslog_csv_safe\s*\([^)]*\)\s*\{.*?\n\}/s', $functions, $m)) {
+	fwrite(STDERR, "Could not extract syslog_csv_safe from functions.php\n");
+	exit(1);
+}
+
+$source = str_replace('function syslog_csv_safe', 'function issue315_csv_safe', $m[0]);
+
+eval($source);
+
+$cases = [
+	// [input, expected output, label]
+	['',               '',                'empty string passes through'],
+	[null,             null,              'null passes through'],
+	[42,               42,                'integer passes through'],
+	['router1',        'router1',         'benign string unchanged'],
+	['=SUM(A1)',       "'=SUM(A1)",       'leading = prefixed'],
+	['+1234567',       "'+1234567",       'leading + prefixed'],
+	['-2+3',           "'-2+3",           'leading - prefixed'],
+	['@user',          "'@user",          'leading @ prefixed'],
+	["\tevil",         "'\tevil",         'leading tab prefixed'],
+	["\rboot",         "'\rboot",         'leading CR prefixed'],
+	[' =SUM(A1)',      "' =SUM(A1)",      'leading whitespace before = prefixed'],
+	['  @user',        "'  @user",        'multiple leading spaces before @ prefixed'],
+	['router@home',    'router@home',     '@ not at start unchanged'],
+	['has =equals',    'has =equals',     '= not at start unchanged'],
+	["'=already",      "'=already",       'already-escaped value is not double-prefixed'],
+];
+
+$failures = 0;
+
+foreach ($cases as $idx => $case) {
+	list($input, $expected, $label) = $case;
+
+	$actual = issue315_csv_safe($input);
+
+	if ($actual !== $expected) {
+		fwrite(STDERR, sprintf(
+			"case %d (%s): expected %s, got %s\n",
+			$idx,
+			$label,
+			var_export($expected, true),
+			var_export($actual, true)
+		));
+
+		$failures++;
+	}
+}
+
+if ($failures > 0) {
+	fwrite(STDERR, "$failures syslog_csv_safe test(s) failed\n");
+	exit(1);
+}
+
+print "issue315_csv_safe_unit_test passed\n";

From d6c11b6b147852c70e70afa22a27db8cf1a8bd95 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 11:33:10 -0700
Subject: [PATCH 05/16] fix: address remaining PR #315 review findings

---
 functions.php   |  6 +++---
 js/functions.js | 12 ++++++++----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/functions.php b/functions.php
index e0bd72c..db1f896 100644
--- a/functions.php
+++ b/functions.php
@@ -383,11 +383,11 @@ function syslog_partition_create($table, $time = null) {
 
 			$create_sql = $create_syntax['Create Table'];
 
-			if (strpos($create_sql, 'TO_DAYS') !== false) {
+			if (stripos($create_sql, 'TO_DAYS') !== false) {
 				syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
 					PARTITION $cformat VALUES LESS THAN (TO_DAYS('$boundary_date')),
 					PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
-			} elseif (strpos($create_sql, 'UNIX_TIMESTAMP') !== false) {
+			} elseif (stripos($create_sql, 'UNIX_TIMESTAMP') !== false) {
 				syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
 					PARTITION $cformat VALUES LESS THAN ($boundary_epoch),
 					PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
@@ -2356,7 +2356,7 @@ function syslog_process_reports() {
 					$date1 = date('Y-m-d H:i:s', $current_time - $time_span);
 					$sql .= ' AND logtime BETWEEN ? AND ?';
 					$sql .= ' ORDER BY logtime DESC';
-					$items = syslog_db_fetch_assoc_prepared($sql, [$data1, $date2]);
+					$items = syslog_db_fetch_assoc_prepared($sql, [$date1, $date2]);
 
 					syslog_debug('We have ' . db_affected_rows($syslog_cnn) . ' items for the Report');
 
diff --git a/js/functions.js b/js/functions.js
index df0c8f1..4a709f5 100644
--- a/js/functions.js
+++ b/js/functions.js
@@ -601,11 +601,15 @@ function syslogInvokeCallback(functionName) {
 
 	var trimmed = functionName.trim();
 
-	// Strip a trailing "()" if present; many callers historically pass "name()".
-	var parenStart = trimmed.indexOf('(');
+	// Only tolerate an exact trailing "()" for legacy callers; reject any arguments.
+	if (trimmed.endsWith('()')) {
+		trimmed = trimmed.substring(0, trimmed.length - 2).trim();
+	} else if (trimmed.indexOf('(') !== -1 || trimmed.indexOf(')') !== -1) {
+		if (window.console && console.warn) {
+			console.warn('syslog: refusing to invoke callback with arguments or invalid parentheses', functionName);
+		}
 
-	if (parenStart !== -1) {
-		trimmed = trimmed.substring(0, parenStart).trim();
+		return;
 	}
 
 	if (!/^[A-Za-z_$][A-Za-z0-9_$]*$/.test(trimmed)) {

From 91f449669092b45b3e55bf0a40908e1cf41c43c4 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 11:37:42 -0700
Subject: [PATCH 06/16] fix: harden partition drop handling

---
 functions.php | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/functions.php b/functions.php
index db1f896..aa5e988 100644
--- a/functions.php
+++ b/functions.php
@@ -458,11 +458,18 @@ function syslog_partition_remove($table) {
 				while ($user_partitions > $days) {
 					$oldest = $number_of_partitions[$i];
 
-					cacti_log("SYSLOG: Removing old partition '" . $oldest['PARTITION_NAME'] . "'", false, 'SYSTEM');
+					$part_name = $oldest['PARTITION_NAME'];
 
-					syslog_debug("Removing partition '" . $oldest['PARTITION_NAME'] . "'");
+					if (!preg_match('/^[a-zA-Z0-9_]+$/', $part_name)) {
+						cacti_log("SYSLOG ERROR: Invalid partition name '$part_name' for '$table'; skipping drop", false, 'SYSLOG');
+						break;
+					}
+
+					cacti_log("SYSLOG: Removing old partition '" . $part_name . "'", false, 'SYSTEM');
+
+					syslog_debug("Removing partition '" . $part_name . "'");
 
-					syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` DROP PARTITION " . $oldest['PARTITION_NAME']);
+					syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` DROP PARTITION `$part_name`");
 
 					$i++;
 					$user_partitions--;
@@ -2358,7 +2365,7 @@ function syslog_process_reports() {
 					$sql .= ' ORDER BY logtime DESC';
 					$items = syslog_db_fetch_assoc_prepared($sql, [$date1, $date2]);
 
-					syslog_debug('We have ' . db_affected_rows($syslog_cnn) . ' items for the Report');
+					syslog_debug('We have ' . cacti_sizeof($items) . ' items for the Report');
 
 					$classes = ['even', 'odd'];
 

From 680d5770e8377b5fdc2f6dc466555c5a3c4a0506 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 11:40:35 -0700
Subject: [PATCH 07/16] fix: validate derived partition boundaries

---
 functions.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/functions.php b/functions.php
index aa5e988..07b9a72 100644
--- a/functions.php
+++ b/functions.php
@@ -352,6 +352,12 @@ function syslog_partition_create($table, $time = null) {
 		$cformat        = 'd' . gmdate('Ymd', $time);
 		$boundary_date  = gmdate('Y-m-d', $boundary_epoch);
 
+		if (!preg_match('/^d\d{8}$/', $cformat) || !preg_match('/^\d{4}-\d{2}-\d{2}$/', $boundary_date)) {
+			cacti_log("SYSLOG ERROR: Derived partition values failed format validation for '$table'; rotation aborted", false, 'SYSLOG');
+
+			return false;
+		}
+
 		$exists = syslog_db_fetch_row_prepared('SELECT *
 			FROM `information_schema`.`partitions`
 			WHERE table_schema = ?

From 4f73f741717db3d63011ac1ec8d4d9213f6f469c Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 11:43:28 -0700
Subject: [PATCH 08/16] fix: stop partition pruning after drop failures

---
 functions.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/functions.php b/functions.php
index 07b9a72..42d9a52 100644
--- a/functions.php
+++ b/functions.php
@@ -475,7 +475,13 @@ function syslog_partition_remove($table) {
 
 					syslog_debug("Removing partition '" . $part_name . "'");
 
-					syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` DROP PARTITION `$part_name`");
+					/* $table passed syslog_partition_table_allowed() at function entry; $part_name is regex-validated above. */
+					$result = syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` DROP PARTITION `$part_name`");
+
+					if ($result == 0) {
+						cacti_log("SYSLOG ERROR: Failed to drop partition '$part_name' from '$table'; aborting further drops", false, 'SYSLOG');
+						break;
+					}
 
 					$i++;
 					$user_partitions--;

From aff95521b8295b8aeacd7026a3624351202d30a4 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 11:45:55 -0700
Subject: [PATCH 09/16] fix: tighten partition boundary failure checks

---
 functions.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/functions.php b/functions.php
index 42d9a52..3124aad 100644
--- a/functions.php
+++ b/functions.php
@@ -349,6 +349,13 @@ function syslog_partition_create($table, $time = null) {
 		 * and the source for the date string passed to TO_DAYS.
 		 */
 		$boundary_epoch = ((int)($time / 86400) + 1) * 86400;
+
+		if ($boundary_epoch <= 0 || $boundary_epoch <= $time) {
+			cacti_log("SYSLOG ERROR: Boundary epoch computation overflow for '$table' (time=$time); rotation aborted", false, 'SYSLOG');
+
+			return false;
+		}
+
 		$cformat        = 'd' . gmdate('Ymd', $time);
 		$boundary_date  = gmdate('Y-m-d', $boundary_epoch);
 
@@ -478,7 +485,7 @@ function syslog_partition_remove($table) {
 					/* $table passed syslog_partition_table_allowed() at function entry; $part_name is regex-validated above. */
 					$result = syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` DROP PARTITION `$part_name`");
 
-					if ($result == 0) {
+					if ($result === false) {
 						cacti_log("SYSLOG ERROR: Failed to drop partition '$part_name' from '$table'; aborting further drops", false, 'SYSLOG');
 						break;
 					}

From 260bccde5aaa4d2c01f09da78cf5b9b4baed6f6d Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 11:57:11 -0700
Subject: [PATCH 10/16] fix(security): refine partition and timestamp boundary
 handling

---
 functions.php | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/functions.php b/functions.php
index 3124aad..c3dec78 100644
--- a/functions.php
+++ b/functions.php
@@ -300,14 +300,20 @@ function syslog_partition_create($table, $time = null) {
 		return false;
 	}
 
+	if (!preg_match('/^[a-zA-Z0-9_]+$/', $syslogdb_default)) {
+		cacti_log("SYSLOG ERROR: Invalid database name; partition create aborted", false, 'SYSLOG');
+
+		return false;
+	}
+
 	if ($time === null) {
 		$time = time() + 3600;
 	}
 
-	// Reject non-numeric or pre-epoch timestamps; boundary math assumes a
-	// non-negative UTC epoch so negative or bogus inputs cannot underflow
-	// the (int)($time / 86400) + 1 computation below.
-	if (!is_numeric($time) || (int)$time < 0) {
+	// Reject non-numeric, negative, or far-future timestamps; boundary
+	// math assumes a non-negative UTC epoch within 64-bit safe range so
+	// extreme inputs cannot underflow or overflow to float.
+	if (!is_numeric($time) || (int)$time < 0 || (int)$time > 4102444800) {
 		cacti_log("SYSLOG ERROR: syslog_partition_create called with invalid time '$time' for table '$table'", false, 'SYSLOG');
 
 		return false;
@@ -386,7 +392,7 @@ function syslog_partition_create($table, $time = null) {
 			 * derive from integer arithmetic and gmdate(), so they contain
 			 * only digits, hyphens, and the letter 'd'.
 			 */
-			$create_syntax = syslog_db_fetch_row("SHOW CREATE TABLE `$syslogdb_default`.`$table`");
+			$create_syntax = syslog_db_fetch_row_prepared("SHOW CREATE TABLE `$syslogdb_default`.`$table`");
 
 			if (!cacti_sizeof($create_syntax) || empty($create_syntax['Create Table'])) {
 				cacti_log("SYSLOG ERROR: SHOW CREATE TABLE returned no rows for '$table'; partition rotation aborted", false, 'SYSLOG');
@@ -397,11 +403,11 @@ function syslog_partition_create($table, $time = null) {
 			$create_sql = $create_syntax['Create Table'];
 
 			if (stripos($create_sql, 'TO_DAYS') !== false) {
-				syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
+				syslog_db_execute_prepared("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
 					PARTITION $cformat VALUES LESS THAN (TO_DAYS('$boundary_date')),
 					PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
 			} elseif (stripos($create_sql, 'UNIX_TIMESTAMP') !== false) {
-				syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
+				syslog_db_execute_prepared("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
 					PARTITION $cformat VALUES LESS THAN ($boundary_epoch),
 					PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
 			} else {
@@ -433,6 +439,12 @@ function syslog_partition_remove($table) {
 		return 0;
 	}
 
+	if (!preg_match('/^[a-zA-Z0-9_]+$/', $syslogdb_default)) {
+		cacti_log("SYSLOG ERROR: Invalid database name; partition remove aborted", false, 'SYSLOG');
+
+		return 0;
+	}
+
 	$lock_name = substr(hash('sha256', $syslogdb_default . '.syslog_partition_remove.' . $table), 0, 60);
 
 	$locked = syslog_db_fetch_cell_prepared('SELECT GET_LOCK(?, 10)', [$lock_name]);
@@ -482,11 +494,11 @@ function syslog_partition_remove($table) {
 
 					syslog_debug("Removing partition '" . $part_name . "'");
 
-					/* $table passed syslog_partition_table_allowed() at function entry; $part_name is regex-validated above. */
-					$result = syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` DROP PARTITION `$part_name`");
+					/* $table passed syslog_partition_table_allowed() at function entry; $part_name is regex-validated above. DDL identifiers cannot be parameterized. */
+					$result = syslog_db_execute_prepared("ALTER TABLE `$syslogdb_default`.`$table` DROP PARTITION `$part_name`");
 
 					if ($result === false) {
-						cacti_log("SYSLOG ERROR: Failed to drop partition '$part_name' from '$table'; aborting further drops", false, 'SYSLOG');
+						cacti_log("SYSLOG ERROR: Failed to drop partition '$part_name' from '$table' after $i successful drop(s); aborting further drops", false, 'SYSLOG');
 						break;
 					}
 

From 2ad33f0e4d16b850d7406b02b3f87bc1889c06ba Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 15:59:06 -0700
Subject: [PATCH 11/16] refactor: remove SQL rule gating from PR #315

---
 functions.php      | 43 -------------------------------------------
 setup.php          | 10 ----------
 syslog_alerts.php  |  6 ------
 syslog_reports.php |  6 ------
 4 files changed, 65 deletions(-)

diff --git a/functions.php b/functions.php
index c3dec78..926158a 100644
--- a/functions.php
+++ b/functions.php
@@ -699,12 +699,6 @@ function syslog_remove_items($table, $max_seq) {
 					$params[]  = '%' . $remove['message'];
 				}
 			} elseif ($remove['type'] == 'sql') {
-				if (read_config_option('syslog_allow_sql_rules') != 'on') {
-					cacti_log("SYSLOG: Skipping SQL removal rule '" . $remove['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
-
-					continue;
-				}
-
 				if ($table == 'syslog_incoming') {
 					$sql_where = 'WHERE (' . $remove['message'] . ')
 						AND `status` = 1
@@ -1181,19 +1175,6 @@ function syslog_manage_items($from_table, $to_table) {
 						WHERE message LIKE " . db_qstr('%' . $remove['message']);
 				}
 			} elseif ($remove['type'] == 'sql') {
-				/*
-				 * Raw SQL rules are admin-defined expressions interpolated
-				 * into the WHERE clause. They are dangerous by design and
-				 * gated behind an explicit opt-in. The previous syntax
-				 * ("WHERE message (expr)") was also invalid MySQL and could
-				 * never have executed successfully.
-				 */
-				if (read_config_option('syslog_allow_sql_rules') != 'on') {
-					cacti_log("SYSLOG: Skipping SQL removal rule '" . $remove['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
-
-					continue;
-				}
-
 				if ($remove['method'] != 'del') {
 					$sql_sel = "SELECT seq FROM `$syslogdb_default`.`$from_table`
 						WHERE (" . $remove['message'] . ')';
@@ -1909,18 +1890,6 @@ function syslog_get_alert_sql(&$alert, $max_seq) {
 		$params[] = $alert['message'];
 		$params[] = $max_seq;
 	} elseif ($alert['type'] == 'sql') {
-		/*
-		 * Raw SQL alert expressions are admin-defined fragments inlined
-		 * into the WHERE clause. They cannot be parameterised and are
-		 * gated behind an explicit opt-in. When disabled, the alert is
-		 * skipped rather than silently matching everything.
-		 */
-		if (read_config_option('syslog_allow_sql_rules') != 'on') {
-			cacti_log("SYSLOG: Skipping SQL alert '" . $alert['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
-
-			return [];
-		}
-
 		$sql = "SELECT *
 			FROM `$syslogdb_default`.`syslog_incoming`
 			WHERE ({$alert['message']})
@@ -2527,18 +2496,6 @@ function syslog_get_report_sql(&$report) {
 	}
 
 	if ($report['type'] == 'sql') {
-		/*
-		 * Raw SQL report expressions are admin-defined fragments inlined
-		 * into the WHERE clause. They cannot be parameterised and are
-		 * gated behind an explicit opt-in. When disabled, the report is
-		 * skipped rather than silently returning every row.
-		 */
-		if (read_config_option('syslog_allow_sql_rules') != 'on') {
-			cacti_log("SYSLOG: Skipping SQL report '" . $report['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
-
-			return '';
-		}
-
 		$sql = "SELECT *
 			FROM `$syslogdb_default`.`syslog`
 			WHERE (" . $report['message'] . ')';
diff --git a/setup.php b/setup.php
index 1f7d3a9..c403528 100644
--- a/setup.php
+++ b/setup.php
@@ -1263,16 +1263,6 @@ function syslog_config_settings() {
 			'method'        => 'checkbox',
 			'default'       => ''
 		],
-		'syslog_security_header' => [
-			'friendly_name' => __('Security Settings', 'syslog'),
-			'method'        => 'spacer',
-		],
-		'syslog_allow_sql_rules' => [
-			'friendly_name' => __('Allow SQL-type Rules', 'syslog'),
-			'description'   => __('When enabled, Alert, Removal, and Report rules of type SQL will execute their raw SQL fragments as WHERE clauses. These rules are inlined into queries and cannot be parameterised, so a rule author can run arbitrary SQL against the Syslog database. Leave this disabled unless you understand the impact and trust every user who can edit rules.', 'syslog'),
-			'method'        => 'checkbox',
-			'default'       => ''
-		],
 	];
 
 	if (isset($settings['syslog'])) {
diff --git a/syslog_alerts.php b/syslog_alerts.php
index 0c9d730..5beacd9 100644
--- a/syslog_alerts.php
+++ b/syslog_alerts.php
@@ -290,12 +290,6 @@ function api_syslog_alert_save($id, $name, $method, $level, $num, $type, $messag
 	$id = 0;
 
 	if (!is_error_message()) {
-		if ($save['type'] == 'sql' && read_config_option('syslog_allow_sql_rules') != 'on') {
-			raise_message('sql_disabled', __('SQL-type rules are disabled. Enable "Allow SQL-type Rules" under Console > Configuration > Settings > Syslog > Security Settings before saving this rule.', 'syslog'), MESSAGE_LEVEL_ERROR);
-
-			return false;
-		}
-
 		$sql = syslog_get_alert_sql($save, 100);
 
 		if (cacti_sizeof($sql)) {
diff --git a/syslog_reports.php b/syslog_reports.php
index d040f14..048fbc8 100644
--- a/syslog_reports.php
+++ b/syslog_reports.php
@@ -281,12 +281,6 @@ function api_syslog_report_save($id, $name, $type, $message, $timespan, $timepar
 	$id = 0;
 
 	if (!is_error_message()) {
-		if ($save['type'] == 'sql' && read_config_option('syslog_allow_sql_rules') != 'on') {
-			raise_message('sql_disabled', __('SQL-type rules are disabled. Enable "Allow SQL-type Rules" under Console > Configuration > Settings > Syslog > Security Settings before saving this rule.', 'syslog'), MESSAGE_LEVEL_ERROR);
-
-			return false;
-		}
-
 		$sql = syslog_get_alert_sql($save, 100);
 
 		if (cacti_sizeof($sql)) {

From 9e09a8cdfbc46daca31cb6955c606cdd9e033958 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 16:17:26 -0700
Subject: [PATCH 12/16] refactor: align partition maintenance with dMaxValue
 fallback

---
 functions.php                                   | 17 ++++++++---------
 .../issue254_partition_table_locking_test.php   |  6 +++---
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/functions.php b/functions.php
index 926158a..dab2aa2 100644
--- a/functions.php
+++ b/functions.php
@@ -242,11 +242,10 @@ function syslog_partition_manage() {
 	$time = time() + 3600;
 
 	/*
-	 * Only run the retention prune when the new partition was created
-	 * successfully. Otherwise a hard failure in syslog_partition_create
-	 * (unknown partition expression, empty SHOW CREATE, invalid $time)
-	 * would combine with syslog_partition_remove to silently drop old
-	 * partitions on every poller cycle without adding a replacement.
+	 * Only run the retention prune when the next partition is ready.
+	 * If maintenance cannot safely create it, leave dMaxValue in place
+	 * as the write-path safety net and avoid dropping old partitions
+	 * without a replacement.
 	 */
 	if (syslog_partition_check('syslog', $time)) {
 		if (syslog_partition_create('syslog', $time)) {
@@ -357,7 +356,7 @@ function syslog_partition_create($table, $time = null) {
 		$boundary_epoch = ((int)($time / 86400) + 1) * 86400;
 
 		if ($boundary_epoch <= 0 || $boundary_epoch <= $time) {
-			cacti_log("SYSLOG ERROR: Boundary epoch computation overflow for '$table' (time=$time); rotation aborted", false, 'SYSLOG');
+			cacti_log("SYSLOG ERROR: Boundary epoch computation failed for '$table' (time=$time); leaving writes in dMaxValue until maintenance recovers", false, 'SYSLOG');
 
 			return false;
 		}
@@ -366,7 +365,7 @@ function syslog_partition_create($table, $time = null) {
 		$boundary_date  = gmdate('Y-m-d', $boundary_epoch);
 
 		if (!preg_match('/^d\d{8}$/', $cformat) || !preg_match('/^\d{4}-\d{2}-\d{2}$/', $boundary_date)) {
-			cacti_log("SYSLOG ERROR: Derived partition values failed format validation for '$table'; rotation aborted", false, 'SYSLOG');
+			cacti_log("SYSLOG ERROR: Derived partition values failed format validation for '$table'; leaving writes in dMaxValue until maintenance recovers", false, 'SYSLOG');
 
 			return false;
 		}
@@ -395,7 +394,7 @@ function syslog_partition_create($table, $time = null) {
 			$create_syntax = syslog_db_fetch_row_prepared("SHOW CREATE TABLE `$syslogdb_default`.`$table`");
 
 			if (!cacti_sizeof($create_syntax) || empty($create_syntax['Create Table'])) {
-				cacti_log("SYSLOG ERROR: SHOW CREATE TABLE returned no rows for '$table'; partition rotation aborted", false, 'SYSLOG');
+				cacti_log("SYSLOG ERROR: SHOW CREATE TABLE returned no rows for '$table'; leaving writes in dMaxValue until maintenance recovers", false, 'SYSLOG');
 
 				return false;
 			}
@@ -411,7 +410,7 @@ function syslog_partition_create($table, $time = null) {
 					PARTITION $cformat VALUES LESS THAN ($boundary_epoch),
 					PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
 			} else {
-				cacti_log("SYSLOG ERROR: Unable to determine partition expression (neither TO_DAYS nor UNIX_TIMESTAMP) for '$table'; rotation aborted", false, 'SYSLOG');
+				cacti_log("SYSLOG ERROR: Unable to determine partition expression (neither TO_DAYS nor UNIX_TIMESTAMP) for '$table'; leaving writes in dMaxValue until maintenance recovers", false, 'SYSLOG');
 
 				return false;
 			}
diff --git a/tests/regression/issue254_partition_table_locking_test.php b/tests/regression/issue254_partition_table_locking_test.php
index a2a810c..122d90a 100644
--- a/tests/regression/issue254_partition_table_locking_test.php
+++ b/tests/regression/issue254_partition_table_locking_test.php
@@ -234,10 +234,10 @@
 	exit(1);
 }
 
-// ---- syslog_partition_create must hard-fail when the partition expression cannot be detected ----
+// ---- syslog_partition_create must fall back to dMaxValue when the expression cannot be detected ----
 
-if (!preg_match('/SHOW CREATE TABLE.*Unable to determine partition expression/s', $functions)) {
-	fwrite(STDERR, "syslog_partition_create does not hard-fail on unknown partition expression.\n");
+if (!preg_match('/SHOW CREATE TABLE.*Unable to determine partition expression.*dMaxValue/s', $functions)) {
+	fwrite(STDERR, "syslog_partition_create does not preserve dMaxValue fallback on unknown partition expression.\n");
 	exit(1);
 }
 

From e6c66151b074e783b72edf40a6c936ce2b7b53e1 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 16:28:49 -0700
Subject: [PATCH 13/16] test: fix issue254 regression parser

---
 .../issue254_partition_table_locking_test.php | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/tests/regression/issue254_partition_table_locking_test.php b/tests/regression/issue254_partition_table_locking_test.php
index 122d90a..564c92b 100644
--- a/tests/regression/issue254_partition_table_locking_test.php
+++ b/tests/regression/issue254_partition_table_locking_test.php
@@ -145,17 +145,28 @@
 
 // ---- syslog_partition_remove must also use GET_LOCK / RELEASE_LOCK in a finally block ----
 
-if (!preg_match('/function\s+syslog_partition_remove\s*\(\s*\$table\s*\)\s*\{(.{0,2500})\n\}/s', $functions, $m_remove_lock)) {
-	fwrite(STDERR, "syslog_partition_remove function body not found for lock check.\n");
+$remove_start = strpos($functions, 'function syslog_partition_remove');
+
+if ($remove_start === false) {
+	fwrite(STDERR, "Could not locate syslog_partition_remove.\n");
+	exit(1);
+}
+
+$remove_end = strpos($functions, 'function syslog_partition_check', $remove_start);
+
+if ($remove_end === false) {
+	fwrite(STDERR, "Could not bound syslog_partition_remove.\n");
 	exit(1);
 }
 
-if (!preg_match('/GET_LOCK/', $m_remove_lock[1])) {
+$remove_body = substr($functions, $remove_start, $remove_end - $remove_start);
+
+if (!preg_match('/GET_LOCK/', $remove_body)) {
 	fwrite(STDERR, "syslog_partition_remove does not acquire a lock before ALTER TABLE.\n");
 	exit(1);
 }
 
-if (!preg_match('/finally\s*\{[^}]*RELEASE_LOCK/s', $m_remove_lock[1])) {
+if (!preg_match('/finally\s*\{[^}]*RELEASE_LOCK/s', $remove_body)) {
 	fwrite(STDERR, "syslog_partition_remove does not release its lock in a finally block.\n");
 	exit(1);
 }

From 025823a3390673e73417faa7226874489610e269 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 23:04:20 -0700
Subject: [PATCH 14/16] test(e2e): add orb docker playwright syslog coverage

---
 syslog.php                            |   1 +
 syslog_alerts.php                     |   1 +
 syslog_batch_transfer.php             |   1 +
 syslog_process.php                    |   1 +
 syslog_removal.php                    |   1 +
 syslog_reports.php                    |   1 +
 tests/e2e/playwright/browser-check.js |  51 +++++++++
 tests/e2e/playwright/package.json     |   8 ++
 tests/e2e/playwright/run-e2e.sh       | 142 ++++++++++++++++++++++++++
 tests/e2e/run-orb-docker-e2e.sh       |  98 ++++++++++++++++++
 10 files changed, 305 insertions(+)
 create mode 100644 tests/e2e/playwright/browser-check.js
 create mode 100644 tests/e2e/playwright/package.json
 create mode 100755 tests/e2e/playwright/run-e2e.sh
 create mode 100755 tests/e2e/run-orb-docker-e2e.sh

diff --git a/syslog.php b/syslog.php
index 4b67bf0..0173304 100644
--- a/syslog.php
+++ b/syslog.php
@@ -32,6 +32,7 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/html_tree.php');
+include_once('./plugins/syslog/setup.php');
 include_once('./plugins/syslog/functions.php');
 include_once('./plugins/syslog/database.php');
 
diff --git a/syslog_alerts.php b/syslog_alerts.php
index 5beacd9..6c1875a 100644
--- a/syslog_alerts.php
+++ b/syslog_alerts.php
@@ -25,6 +25,7 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/xml.php');
+include_once('./plugins/syslog/setup.php');
 include_once('./plugins/syslog/functions.php');
 include_once('./plugins/syslog/database.php');
 
diff --git a/syslog_batch_transfer.php b/syslog_batch_transfer.php
index 50caa71..46b627a 100644
--- a/syslog_batch_transfer.php
+++ b/syslog_batch_transfer.php
@@ -25,6 +25,7 @@
 chdir('../../');
 include('./include/cli_check.php');
 include_once('./lib/poller.php');
+include_once('./plugins/syslog/setup.php');
 include_once('./plugins/syslog/functions.php');
 include_once('./plugins/syslog/database.php');
 
diff --git a/syslog_process.php b/syslog_process.php
index 7a59513..f6613f5 100644
--- a/syslog_process.php
+++ b/syslog_process.php
@@ -23,6 +23,7 @@
 */
 
 include(__DIR__ . '/../../include/cli_check.php');
+include_once(__DIR__ . '/setup.php');
 include_once(__DIR__ . '/functions.php');
 include_once(__DIR__ . '/database.php');
 
diff --git a/syslog_removal.php b/syslog_removal.php
index b92193e..bf89475 100644
--- a/syslog_removal.php
+++ b/syslog_removal.php
@@ -25,6 +25,7 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/xml.php');
+include_once('./plugins/syslog/setup.php');
 include_once('./plugins/syslog/functions.php');
 include_once('./plugins/syslog/database.php');
 
diff --git a/syslog_reports.php b/syslog_reports.php
index 048fbc8..b24032e 100644
--- a/syslog_reports.php
+++ b/syslog_reports.php
@@ -25,6 +25,7 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/xml.php');
+include_once('./plugins/syslog/setup.php');
 include_once('./plugins/syslog/functions.php');
 include_once('./plugins/syslog/database.php');
 
diff --git a/tests/e2e/playwright/browser-check.js b/tests/e2e/playwright/browser-check.js
new file mode 100644
index 0000000..4d26923
--- /dev/null
+++ b/tests/e2e/playwright/browser-check.js
@@ -0,0 +1,51 @@
+const { chromium } = require('playwright');
+
+function expectContains(haystack, needle, label) {
+  if (!haystack.includes(needle)) {
+    throw new Error(`Expected ${label} to contain: ${needle}`);
+  }
+}
+
+async function login(page) {
+  await page.goto('http://cacti_web/cacti/', { waitUntil: 'domcontentloaded' });
+  await page.locator('#login_username').fill('admin');
+  await page.locator('#login_password').fill('Admin123!');
+  await Promise.all([
+    page.waitForURL(/\/cacti\/index\.php/, { timeout: 30000 }),
+    page.locator('form#auth').evaluate((form) => form.submit())
+  ]);
+}
+
+async function main() {
+  const browser = await chromium.launch({
+    headless: true,
+    args: ['--no-sandbox', '--disable-dev-shm-usage']
+  });
+  const page = await browser.newPage();
+
+  await login(page);
+
+  const pagePath = process.env.PAGE_PATH || 'index.php';
+  await page.goto(`http://cacti_web/cacti/${pagePath}`, { waitUntil: 'domcontentloaded' });
+
+  const title = await page.title();
+  const body = await page.locator('body').innerText();
+
+  if (process.env.EXPECT_TITLE) {
+    expectContains(title, process.env.EXPECT_TITLE, 'title');
+  }
+
+  for (const key of ['EXPECT_TEXT', 'EXPECT_TEXT_2', 'EXPECT_TEXT_3']) {
+    if (process.env[key]) {
+      expectContains(body, process.env[key], 'body');
+    }
+  }
+
+  console.log(`ok ${pagePath}`);
+  await browser.close();
+}
+
+main().catch((error) => {
+  console.error(error.stack || String(error));
+  process.exit(1);
+});
diff --git a/tests/e2e/playwright/package.json b/tests/e2e/playwright/package.json
new file mode 100644
index 0000000..9a99923
--- /dev/null
+++ b/tests/e2e/playwright/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "plugin-syslog-e2e",
+  "private": true,
+  "version": "1.0.0",
+  "devDependencies": {
+    "playwright": "1.52.0"
+  }
+}
diff --git a/tests/e2e/playwright/run-e2e.sh b/tests/e2e/playwright/run-e2e.sh
new file mode 100755
index 0000000..4ea0443
--- /dev/null
+++ b/tests/e2e/playwright/run-e2e.sh
@@ -0,0 +1,142 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+PW_IMAGE="mcr.microsoft.com/playwright:v1.52.0-jammy"
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"
+PW_PREFIX=(
+  docker run --rm
+  --network cacti-syslog-e2e_default
+  --ipc=host
+  -v "${ROOT_DIR}/tests/e2e/playwright:/work"
+  -w /work
+)
+
+pass_count=0
+
+db_scalar() {
+  docker exec cacti_db mariadb -N -B -ucacti -pcacti cacti -e "$1"
+}
+
+db_exec() {
+  docker exec cacti_db mariadb -ucacti -pcacti cacti -e "$1" >/dev/null
+}
+
+browser_check() {
+  local page_path="$1"
+  local expect_title="$2"
+  local expect_text="$3"
+  local expect_text_2="${4:-}"
+  local expect_text_3="${5:-}"
+
+  "${PW_PREFIX[@]}" \
+    -e "PAGE_PATH=${page_path}" \
+    -e "EXPECT_TITLE=${expect_title}" \
+    -e "EXPECT_TEXT=${expect_text}" \
+    -e "EXPECT_TEXT_2=${expect_text_2}" \
+    -e "EXPECT_TEXT_3=${expect_text_3}" \
+    "$PW_IMAGE" \
+    node browser-check.js >/dev/null
+}
+
+run_test() {
+  local name="$1"
+  shift
+  echo "TEST ${name}"
+  "$@"
+  pass_count=$((pass_count + 1))
+  echo "PASS ${name}"
+}
+
+assert_equals() {
+  local actual="$1"
+  local expected="$2"
+  local label="$3"
+
+  if [[ "$actual" != "$expected" ]]; then
+    echo "FAIL ${label}: expected '${expected}', got '${actual}'" >&2
+    exit 1
+  fi
+}
+
+normalize_admin() {
+  docker exec cacti_web php -r 'require "include/global.php"; $hash = password_hash("Admin123!", PASSWORD_BCRYPT); db_execute_prepared("UPDATE user_auth SET password = ?, must_change_password = \"\", password_change = \"\" WHERE username = \"admin\"", [$hash]);' >/dev/null
+}
+
+reset_syslog_data() {
+  db_exec "TRUNCATE syslog_incoming; TRUNCATE syslog; TRUNCATE syslog_removed; TRUNCATE syslog_statistics; TRUNCATE syslog_hosts; TRUNCATE syslog_programs; TRUNCATE syslog_host_facilities; DELETE FROM syslog_remove;"
+}
+
+seed_incoming() {
+  local host="$1"
+  local program="$2"
+  local message="$3"
+  db_exec "INSERT INTO syslog_incoming (facility_id, priority_id, program, logtime, host, message) VALUES (1, 6, '${program}', NOW(), '${host}', '${message}')"
+}
+
+run_processor() {
+  docker exec cacti_web php /var/www/html/cacti/plugins/syslog/syslog_process.php --debug >/dev/null
+}
+
+test_login_console() {
+  browser_check "index.php" "Console" "Main Console" "Logged in as admin"
+}
+
+test_syslog_empty_page() {
+  reset_syslog_data
+  browser_check "plugins/syslog/syslog.php" "Console > Syslog" "No Syslog Messages" "Unprocessed Messages: 0"
+}
+
+test_alerts_page() {
+  browser_check "plugins/syslog/syslog_alerts.php" "Console > Syslog Alerts" "No Syslog Alerts Defined"
+}
+
+test_removal_page() {
+  browser_check "plugins/syslog/syslog_removal.php" "Console > Syslog Removal" "No Syslog Removal Rules Defined"
+}
+
+test_reports_page() {
+  browser_check "plugins/syslog/syslog_reports.php" "Console > Syslog Reports" "No Syslog Reports Defined"
+}
+
+test_plain_ingest_to_main() {
+  seed_incoming "e2e-host-1" "e2e-prog-1" "E2E-TOKEN-ONE plain ingest"
+  run_processor
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog_incoming")" "0" "incoming queue should be drained"
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog WHERE message = 'E2E-TOKEN-ONE plain ingest'")" "1" "plain message should land in syslog"
+}
+
+test_plain_ingest_normalization() {
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog_hosts WHERE host = 'e2e-host-1'")" "1" "host should be normalized"
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog_programs WHERE program = 'e2e-prog-1'")" "1" "program should be normalized"
+}
+
+test_plain_ingest_visible_in_ui() {
+  browser_check "plugins/syslog/syslog.php?rfilter=E2E-TOKEN-ONE" "Console > Syslog" "E2E-TOKEN-ONE" "e2e-host-1" "e2e-prog-1"
+}
+
+test_second_ingest_accumulates() {
+  seed_incoming "e2e-host-2" "e2e-prog-2" "E2E-TOKEN-TWO second ingest"
+  run_processor
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog")" "2" "two processed records should exist"
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog_hosts WHERE host = 'e2e-host-2'")" "1" "second host should be normalized"
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog_programs WHERE program = 'e2e-prog-2'")" "1" "second program should be normalized"
+}
+
+test_second_ingest_visible_in_ui() {
+  browser_check "plugins/syslog/syslog.php?rfilter=E2E-TOKEN-TWO" "Console > Syslog" "E2E-TOKEN-TWO" "e2e-host-2" "e2e-prog-2"
+}
+
+normalize_admin
+
+run_test "1 login console" test_login_console
+run_test "2 syslog empty page" test_syslog_empty_page
+run_test "3 alerts page" test_alerts_page
+run_test "4 removal page" test_removal_page
+run_test "5 reports page" test_reports_page
+run_test "6 plain ingest to main" test_plain_ingest_to_main
+run_test "7 plain ingest normalization" test_plain_ingest_normalization
+run_test "8 plain ingest visible in ui" test_plain_ingest_visible_in_ui
+run_test "9 second ingest accumulates" test_second_ingest_accumulates
+run_test "10 second ingest visible in ui" test_second_ingest_visible_in_ui
+
+echo "ALL PASS ${pass_count}"
diff --git a/tests/e2e/run-orb-docker-e2e.sh b/tests/e2e/run-orb-docker-e2e.sh
new file mode 100755
index 0000000..796e0f7
--- /dev/null
+++ b/tests/e2e/run-orb-docker-e2e.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+CACTI_REPO="${CACTI_REPO:-$(cd "${ROOT_DIR}/../cacti" && pwd)}"
+TEMP_DIR="${TEMP_DIR:-/tmp/cacti-syslog-e2e}"
+PW_IMAGE="${PW_IMAGE:-mcr.microsoft.com/playwright:v1.52.0-jammy}"
+
+rm -rf "${TEMP_DIR}"
+mkdir -p "${TEMP_DIR}/plugins/syslog"
+
+rsync -a --delete "${CACTI_REPO}/" "${TEMP_DIR}/"
+rsync -a --delete "${ROOT_DIR}/" "${TEMP_DIR}/plugins/syslog/"
+
+cat > "${TEMP_DIR}/.env" <<'EOF'
+WEB_PORT=18080
+PHP_MEMORY_LIMIT=512M
+DB_ROOT_PASSWORD=root
+DB_NAME=cacti
+DB_USER=cacti
+DB_PASSWORD=cacti
+DB_PORT=13306
+DB_MAX_CONNECTIONS=200
+DB_BUFFER_POOL_SIZE=512M
+TIMEZONE=UTC
+EOF
+
+cat > "${TEMP_DIR}/plugins/syslog/config.php" <<'EOF'
+<?php
+
+global $config, $database_type, $database_default, $database_hostname;
+global $database_username, $database_password, $database_port, $database_retries;
+global $database_ssl, $database_ssl_key, $database_ssl_cert, $database_ssl_ca;
+
+$use_cacti_db = true;
+
+if (!$use_cacti_db) {
+	$syslogdb_type     = 'mysql';
+	$syslogdb_default  = 'syslog';
+	$syslogdb_hostname = 'localhost';
+	$syslogdb_username = 'cactiuser';
+	$syslogdb_password = 'cactiuser';
+	$syslogdb_port     = 3306;
+	$syslogdb_retries  = 5;
+	$syslogdb_ssl      = false;
+	$syslogdb_ssl_key  = '';
+	$syslogdb_ssl_cert = '';
+	$syslogdb_ssl_ca   = '';
+} else {
+	$syslogdb_type     = $database_type;
+	$syslogdb_default  = $database_default;
+	$syslogdb_hostname = $database_hostname;
+	$syslogdb_username = $database_username;
+	$syslogdb_password = $database_password;
+	$syslogdb_port     = $database_port;
+	$syslogdb_retries  = $database_retries;
+	$syslogdb_ssl      = $database_ssl;
+	$syslogdb_ssl_key  = $database_ssl_key;
+	$syslogdb_ssl_cert = $database_ssl_cert;
+	$syslogdb_ssl_ca   = $database_ssl_ca;
+}
+
+$syslog_install_options['upgrade_type'] = 'truncate';
+$syslog_install_options['engine']       = 'innodb';
+$syslog_install_options['db_type']      = 'trad';
+$syslog_install_options['days']         = '30';
+$syslog_install_options['mode']         = 'install';
+$syslog_install_options['id']           = 'syslog';
+
+$syslog_incoming_config['priorityField'] = 'priority_id';
+$syslog_incoming_config['facilityField'] = 'facility_id';
+$syslog_incoming_config['programField']  = 'program';
+$syslog_incoming_config['timeField']     = 'logtime';
+$syslog_incoming_config['hostField']     = 'host';
+$syslog_incoming_config['textField']     = 'message';
+$syslog_incoming_config['id']            = 'seq';
+EOF
+
+docker compose -f "${TEMP_DIR}/docker-compose.yml" down -v >/dev/null 2>&1 || true
+docker compose -f "${TEMP_DIR}/docker-compose.yml" up -d --build
+
+docker exec cacti_web ln -sf /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini
+docker exec cacti_web sh -lc 'mkdir -p /var/www/html/cacti/cache/boost /var/www/html/cacti/cache/mibcache /var/www/html/cacti/cache/realtime /var/www/html/cacti/cache/spikekill && chown -R www-data:www-data /var/www/html/cacti/cache'
+docker exec cacti_web sh -lc 'apt-get update >/dev/null && apt-get install -y --no-install-recommends fping >/dev/null'
+docker exec cacti_web sh -lc 'touch /var/www/html/cacti/log/cacti.log && chown www-data:www-data /var/www/html/cacti/log/cacti.log'
+
+docker exec cacti_web php cli/install_cacti.php --accept-eula --install --force
+docker exec cacti_web php cli/plugin_manage.php --plugin=syslog --install --enable --allperms
+
+docker run --rm \
+  --network cacti-syslog-e2e_default \
+  --ipc=host \
+  -v "${ROOT_DIR}/tests/e2e/playwright:/work" \
+  -w /work \
+  "${PW_IMAGE}" \
+  npm install
+
+"${ROOT_DIR}/tests/e2e/playwright/run-e2e.sh"

From da5bba473e798f299be785375287d61791ff9b85 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 23:09:33 -0700
Subject: [PATCH 15/16] fix: normalize syslog entrypoint plugin includes

---
 syslog.php                | 6 +++---
 syslog_alerts.php         | 6 +++---
 syslog_batch_transfer.php | 6 +++---
 syslog_removal.php        | 6 +++---
 syslog_reports.php        | 6 +++---
 5 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/syslog.php b/syslog.php
index 0173304..bc2e9c3 100644
--- a/syslog.php
+++ b/syslog.php
@@ -32,9 +32,9 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/html_tree.php');
-include_once('./plugins/syslog/setup.php');
-include_once('./plugins/syslog/functions.php');
-include_once('./plugins/syslog/database.php');
+include_once(__DIR__ . '/setup.php');
+include_once(__DIR__ . '/functions.php');
+include_once(__DIR__ . '/database.php');
 
 syslog_connect();
 
diff --git a/syslog_alerts.php b/syslog_alerts.php
index 6c1875a..fbf6f28 100644
--- a/syslog_alerts.php
+++ b/syslog_alerts.php
@@ -25,9 +25,9 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/xml.php');
-include_once('./plugins/syslog/setup.php');
-include_once('./plugins/syslog/functions.php');
-include_once('./plugins/syslog/database.php');
+include_once(__DIR__ . '/setup.php');
+include_once(__DIR__ . '/functions.php');
+include_once(__DIR__ . '/database.php');
 
 syslog_connect();
 
diff --git a/syslog_batch_transfer.php b/syslog_batch_transfer.php
index 46b627a..aff452a 100644
--- a/syslog_batch_transfer.php
+++ b/syslog_batch_transfer.php
@@ -25,9 +25,9 @@
 chdir('../../');
 include('./include/cli_check.php');
 include_once('./lib/poller.php');
-include_once('./plugins/syslog/setup.php');
-include_once('./plugins/syslog/functions.php');
-include_once('./plugins/syslog/database.php');
+include_once(__DIR__ . '/setup.php');
+include_once(__DIR__ . '/functions.php');
+include_once(__DIR__ . '/database.php');
 
 syslog_connect();
 
diff --git a/syslog_removal.php b/syslog_removal.php
index bf89475..d446490 100644
--- a/syslog_removal.php
+++ b/syslog_removal.php
@@ -25,9 +25,9 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/xml.php');
-include_once('./plugins/syslog/setup.php');
-include_once('./plugins/syslog/functions.php');
-include_once('./plugins/syslog/database.php');
+include_once(__DIR__ . '/setup.php');
+include_once(__DIR__ . '/functions.php');
+include_once(__DIR__ . '/database.php');
 
 syslog_connect();
 
diff --git a/syslog_reports.php b/syslog_reports.php
index b24032e..054b397 100644
--- a/syslog_reports.php
+++ b/syslog_reports.php
@@ -25,9 +25,9 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/xml.php');
-include_once('./plugins/syslog/setup.php');
-include_once('./plugins/syslog/functions.php');
-include_once('./plugins/syslog/database.php');
+include_once(__DIR__ . '/setup.php');
+include_once(__DIR__ . '/functions.php');
+include_once(__DIR__ . '/database.php');
 
 syslog_connect();
 

From 70de56153d0339d505b294fe3ee6f919c306f7f7 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sat, 11 Apr 2026 01:18:46 -0700
Subject: [PATCH 16/16] test: cover syslog entrypoint include normalization

---
 .../include_path_normalization_test.php       | 108 ++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100644 tests/regression/include_path_normalization_test.php

diff --git a/tests/regression/include_path_normalization_test.php b/tests/regression/include_path_normalization_test.php
new file mode 100644
index 0000000..3d4ddf6
--- /dev/null
+++ b/tests/regression/include_path_normalization_test.php
@@ -0,0 +1,108 @@
+<?php
+
+$root = dirname(__DIR__, 2);
+
+$entrypoints = [
+	'syslog.php',
+	'syslog_alerts.php',
+	'syslog_removal.php',
+	'syslog_batch_transfer.php',
+	'syslog_reports.php',
+	'syslog_process.php'
+];
+
+$plugin_includes = [
+	'setup.php',
+	'functions.php',
+	'database.php'
+];
+
+foreach ($plugin_includes as $inc) {
+	if (!file_exists($root . '/' . $inc)) {
+		fwrite(STDERR, "Required plugin file missing: $inc\n");
+		exit(1);
+	}
+}
+
+foreach ($entrypoints as $file) {
+	$path = $root . '/' . $file;
+
+	if (!file_exists($path)) {
+		fwrite(STDERR, "Entrypoint file missing: $file\n");
+		exit(1);
+	}
+
+	$content = file_get_contents($path);
+
+	if ($content === false) {
+		fwrite(STDERR, "Failed to read $file\n");
+		exit(1);
+	}
+
+	foreach ($plugin_includes as $inc) {
+		$pattern = '/include_once\s*\(\s*__DIR__\s*\.\s*[\'"]\/\s*' . preg_quote($inc, '/') . '[\'"]\s*\)/';
+
+		if (!preg_match($pattern, $content)) {
+			fwrite(STDERR, "$file must use __DIR__-based include for $inc\n");
+			exit(1);
+		}
+
+		$old_pattern = '/include_once\s*\(\s*[\'"]\.\/plugins\/syslog\/' . preg_quote($inc, '/') . '[\'"]\s*\)/';
+
+		if (preg_match($old_pattern, $content)) {
+			fwrite(STDERR, "$file still uses legacy CWD-relative include for $inc\n");
+			exit(1);
+		}
+	}
+}
+
+$setup = file_get_contents($root . '/setup.php');
+
+if ($setup === false) {
+	fwrite(STDERR, "Failed to read setup.php\n");
+	exit(1);
+}
+
+$expected_functions = [
+	'plugin_syslog_install',
+	'plugin_syslog_check_config',
+	'syslog_connect',
+	'syslog_determine_config'
+];
+
+foreach ($expected_functions as $func) {
+	if (!preg_match('/function\s+' . preg_quote($func, '/') . '\s*\(/', $setup)) {
+		fwrite(STDERR, "setup.php missing expected function: $func\n");
+		exit(1);
+	}
+}
+
+$functions = file_get_contents($root . '/functions.php');
+$database  = file_get_contents($root . '/database.php');
+
+if ($functions === false || $database === false) {
+	fwrite(STDERR, "Failed to read functions.php or database.php\n");
+	exit(1);
+}
+
+if (!preg_match('/function\s+syslog_db_connect_real\s*\(/', $database)) {
+	fwrite(STDERR, "database.php missing syslog_db_connect_real\n");
+	exit(1);
+}
+
+if (!preg_match('/function\s+syslog_apply_selected_items_action\s*\(/', $functions)) {
+	fwrite(STDERR, "functions.php missing syslog_apply_selected_items_action\n");
+	exit(1);
+}
+
+if (!preg_match('/include_once\s*\(\s*__DIR__\s*\.\s*[\'"]\/functions\.php[\'"]\s*\)/', $setup)) {
+	fwrite(STDERR, "setup.php must use __DIR__ for functions.php include\n");
+	exit(1);
+}
+
+if (!preg_match('/include_once\s*\(\s*__DIR__\s*\.\s*[\'"]\/database\.php[\'"]\s*\)/', $setup)) {
+	fwrite(STDERR, "setup.php must use __DIR__ for database.php include\n");
+	exit(1);
+}
+
+print "include_path_normalization_test passed\n";