[geeklog-users] An SQL error has occured

Chris Besignano chris at linsoftlabs.com
Thu Feb 26 22:14:30 EST 2004 

I realized why the error occured but was unable to resolve the issue. 
Geeklog simply locked up and kept returning the SQL error no matter 
which page I accessed. I agree that this is something that should be 
validated. It shouldn't be much work to make it happen, maybe I'll poke 
at it this weekend and add some validation code. Who do I send my 
changes to?

Chris Besignano

Drago Goricanec wrote:

>This is something geeklog should protect against. Either escape the data, or
>validate it prior to injecting it into SQL. If there are plans to do this in a
>future version that's fine, but I don't think it's reasonable for geeklog to
>expect users to provide it with valid data.
>
>The other thing I would suggest is that either we always use POST methods, or
>encrypt and sign the arguments generated in a GET method to avoid either
>replaying or injecting bad data to geeklog. Nevertheless, all data should be
>validated/sanitized prior to use.
>
>regards,
>Drago
>
>Quoting Tony Bibbs <tony at tonybibbs.com>:
>
>  
>
>>the problem is the journal name has a single quote (') in it.  Change 
>>"Chris' Journal" to "Chris Journal" and all  would be well.
>>
>>--Tony
>>
>>Chris Besignano wrote:
>>    
>>
>>>Hello,
>>>
>>>I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a new 
>>>topic, but left a space in the topic id. Now I get this SQL error and 
>>>cannot access any part of the site. What can I do to recover from this? 
>>>Below is a section of my error log.
>>>
>>>
>>>Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL syntax 
>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
>>>'Chris'Journal')
>>>Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL syntax 
>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
>>>'Chris'Journal')
>>>Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL syntax 
>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
>>>'Chris'Journal')
>>>Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL syntax 
>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
>>>'Chris'Journal')
>>>
>>>_______________________________________________
>>>geeklog-users mailing list
>>>geeklog-users at lists.geeklog.net
>>>http://lists.geeklog.net/listinfo/geeklog-users
>>>      
>>>
>>_______________________________________________
>>geeklog-users mailing list
>>geeklog-users at lists.geeklog.net
>>http://lists.geeklog.net/listinfo/geeklog-users
>>
>>    
>>
>
>
>_______________________________________________
>geeklog-users mailing list
>geeklog-users at lists.geeklog.net
>http://lists.geeklog.net/listinfo/geeklog-users
>
>  
>

More information about the geeklog-users mailing list