fix: document uniqueID constraint and remove false-confidence SQL denylist

- Add comment documenting tinyint constraint on uniqueID (1-127 range)
- Replace bypassable SQL denylist with trust-boundary documentation

Signed-off-by: Thomas Vincent <[email protected]>

Author: somethingwithproof

functions.php

@@ -1630,12 +1630,10 @@ function syslog_build_match_filter($type, $value, $column = '') {
 			$params[] = '%' . $value;
 			break;
 		case 'sql':
-			/* Admin-configured raw SQL WHERE clause from syslog_remove table.
-			   Reject values containing statements that should never appear in a filter. */
-			if (preg_match('/\b(DROP|ALTER|TRUNCATE|CREATE|GRANT|REVOKE|INTO\s+OUTFILE|INTO\s+DUMPFILE|LOAD_FILE)\b/i', $value)) {
-				cacti_log('SYSLOG ERROR: Rejected dangerous SQL pattern in removal rule', false, 'SYSTEM');
-				break;
-			}
+			/* The 'sql' match type passes admin-configured expressions directly into
+			 * the WHERE clause. This is an intentional trust boundary: only Cacti
+			 * administrators with console access can configure removal/alert rules.
+			 * No programmatic sanitization can safely parse arbitrary SQL fragments. */
 			$sql = '(' . $value . ')';
 			break;
 	}
@@ -1700,6 +1698,10 @@ function syslog_preprocess_incoming_records() {
 	$uniqueID = 0;
 	$incoming = 0;
 
+	/* uniqueID is constrained to tinyint range (1-127) by the status column.
+	 * Collision probability rises with concurrent pollers; the retry loop
+	 * (up to 256 attempts) mitigates but does not eliminate this risk.
+	 * A future schema change to widen status to int would allow a larger space. */
 	try {
 		$attempts = 0;
 		while (1) {