[geeklog-devel] Re: [geeklog-users] An SQL error has occured

Tony Bibbs tony at tonybibbs.com
Fri Feb 27 09:48:40 EST 2004


Ah, good catch.  I read through too quick.  Anyway, the thing that 
annoys me most about Geeklog right now is the fact that topic ID's are 
text-based instead of numeric values and, unlike most other primary keys 
in Geeklog, these you can key in yourself.  This is simply bad legacy 
code from Geeklog's days of infancy.  Report this as a bug to 
http://project.geeklog.net/ and we'll need to finally make this a 
priority and get it working right.

I'm cc'ing this to the geeklog-devel list to be sure it gets seen by the 
entire crew.  Again, if you decide to look into this yourself, any help 
is appreciated.  The fix would need to occur in admin/topic.php most likely.

--Tony

Chris Besignano wrote:
> I am not using the Journal Plugin. Just staight-up geeklog. The topic I 
> was creating just happened to include the word Journal.
> 
> Tony Bibbs wrote:
> 
>> Again, note that the *fix* will happen in the journal plugin's code.  
>> If you find it and fix it please send the fix to 
>> geeklog-devtalk at lists.geeklog.net.  Thanks for looking into this...
>>
>> --Tony
>>
>> Chris Besignano wrote:
>>
>>> I realized why the error occured but was unable to resolve the issue. 
>>> Geeklog simply locked up and kept returning the SQL error no matter 
>>> which page I accessed. I agree that this is something that should be 
>>> validated. It shouldn't be much work to make it happen, maybe I'll 
>>> poke at it this weekend and add some validation code. Who do I send 
>>> my changes to?
>>>
>>> Chris Besignano
>>>
>>> Drago Goricanec wrote:
>>>
>>>> This is something geeklog should protect against. Either escape the 
>>>> data, or
>>>> validate it prior to injecting it into SQL. If there are plans to do 
>>>> this in a
>>>> future version that's fine, but I don't think it's reasonable for 
>>>> geeklog to
>>>> expect users to provide it with valid data.
>>>>
>>>> The other thing I would suggest is that either we always use POST 
>>>> methods, or
>>>> encrypt and sign the arguments generated in a GET method to avoid 
>>>> either
>>>> replaying or injecting bad data to geeklog. Nevertheless, all data 
>>>> should be
>>>> validated/sanitized prior to use.
>>>>
>>>> regards,
>>>> Drago
>>>>
>>>> Quoting Tony Bibbs <tony at tonybibbs.com>:
>>>>
>>>>  
>>>>
>>>>> the problem is the journal name has a single quote (') in it.  
>>>>> Change "Chris' Journal" to "Chris Journal" and all  would be well.
>>>>>
>>>>> --Tony
>>>>>
>>>>> Chris Besignano wrote:
>>>>>  
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a 
>>>>>> new topic, but left a space in the topic id. Now I get this SQL 
>>>>>> error and cannot access any part of the site. What can I do to 
>>>>>> recover from this? Below is a section of my error log.
>>>>>>
>>>>>>
>>>>>> Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL 
>>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT 
>>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date 
>>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>>> Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL 
>>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT 
>>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date 
>>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>>> Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL 
>>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT 
>>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date 
>>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>>> Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL 
>>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT 
>>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date 
>>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>>>
>>>>>> _______________________________________________
>>>>>> geeklog-users mailing list
>>>>>> geeklog-users at lists.geeklog.net
>>>>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>>>>     
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> geeklog-users mailing list
>>>>> geeklog-users at lists.geeklog.net
>>>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>>>
>>>>>   
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> geeklog-users mailing list
>>>> geeklog-users at lists.geeklog.net
>>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>>
>>>>  
>>>>
>>>
>>> _______________________________________________
>>> geeklog-users mailing list
>>> geeklog-users at lists.geeklog.net
>>> http://lists.geeklog.net/listinfo/geeklog-users
>>
>>
>> _______________________________________________
>> geeklog-users mailing list
>> geeklog-users at lists.geeklog.net
>> http://lists.geeklog.net/listinfo/geeklog-users
>>
> 
> _______________________________________________
> geeklog-users mailing list
> geeklog-users at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-users



More information about the geeklog-devel mailing list