[geeklog-users] An SQL error has occured

Drago Goricanec drago-l-gl at goricanec.com
Thu Feb 26 19:44:28 EST 2004


This is something geeklog should protect against. Either escape the data, or
validate it prior to injecting it into SQL. If there are plans to do this in a
future version that's fine, but I don't think it's reasonable for geeklog to
expect users to provide it with valid data.

The other thing I would suggest is that either we always use POST methods, or
encrypt and sign the arguments generated in a GET method to avoid either
replaying or injecting bad data to geeklog. Nevertheless, all data should be
validated/sanitized prior to use.

regards,
Drago

Quoting Tony Bibbs <tony at tonybibbs.com>:

> the problem is the journal name has a single quote (') in it.  Change 
> "Chris' Journal" to "Chris Journal" and all  would be well.
> 
> --Tony
> 
> Chris Besignano wrote:
> > Hello,
> > 
> > I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a new 
> > topic, but left a space in the topic id. Now I get this SQL error and 
> > cannot access any part of the site. What can I do to recover from this? 
> > Below is a section of my error log.
> > 
> > 
> > Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL syntax 
> > near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
> > FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
> > 'Chris'Journal')
> > Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL syntax 
> > near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
> > FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
> > 'Chris'Journal')
> > Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL syntax 
> > near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
> > FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
> > 'Chris'Journal')
> > Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL syntax 
> > near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
> > FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
> > 'Chris'Journal')
> > 
> > _______________________________________________
> > geeklog-users mailing list
> > geeklog-users at lists.geeklog.net
> > http://lists.geeklog.net/listinfo/geeklog-users
> _______________________________________________
> geeklog-users mailing list
> geeklog-users at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-users
> 





More information about the geeklog-users mailing list