[geeklog-users] An SQL error has occured

Drago Goricanec drago-l-gl at goricanec.com
Thu Feb 26 19:44:28 EST 2004

Previous message: [geeklog-users] An SQL error has occured
Next message: [geeklog-users] An SQL error has occured
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is something geeklog should protect against. Either escape the data, or
validate it prior to injecting it into SQL. If there are plans to do this in a
future version that's fine, but I don't think it's reasonable for geeklog to
expect users to provide it with valid data.

The other thing I would suggest is that either we always use POST methods, or
encrypt and sign the arguments generated in a GET method to avoid either
replaying or injecting bad data to geeklog. Nevertheless, all data should be
validated/sanitized prior to use.

regards,
Drago

Quoting Tony Bibbs <tony at tonybibbs.com>:

> the problem is the journal name has a single quote (') in it. Change

> "Chris' Journal" to "Chris Journal" and all would be well.

>

> --Tony

>

> Chris Besignano wrote:

> > Hello,

> >

> > I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a new

> > topic, but left a space in the topic id. Now I get this SQL error and

> > cannot access any part of the site. What can I do to recover from this?

> > Below is a section of my error log.

> >

> >

> > Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL syntax

> > near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count

> > FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid =

> > 'Chris'Journal')

> > Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL syntax

> > near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count

> > FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid =

> > 'Chris'Journal')

> > Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL syntax

> > near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count

> > FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid =

> > 'Chris'Journal')

> > Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL syntax

> > near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count

> > FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid =

> > 'Chris'Journal')

> >

> > _______________________________________________

> > geeklog-users mailing list

> > geeklog-users at lists.geeklog.net

> > http://lists.geeklog.net/listinfo/geeklog-users

> _______________________________________________

> geeklog-users mailing list

> geeklog-users at lists.geeklog.net

> http://lists.geeklog.net/listinfo/geeklog-users

>

Previous message: [geeklog-users] An SQL error has occured
Next message: [geeklog-users] An SQL error has occured
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the geeklog-users mailing list