[geeklog-users] An SQL error has occured

[Tony Bibbs]

Drago, yes, I realize that.  Please note that this *isn't* a geeklog 
problem, it is a problem with the journal plugin that I wrote.  It's up 
to each individual plugin to handle their DB interaction.  When I get 
around to it I'll make the fix, I just wanted to provide you the short 
term fix to your problem.

--Tony

Drago Goricanec wrote:

> This is something geeklog should protect against. Either escape the data, or

> validate it prior to injecting it into SQL. If there are plans to do this in a

> future version that's fine, but I don't think it's reasonable for geeklog to

> expect users to provide it with valid data.

> 

> The other thing I would suggest is that either we always use POST methods, or

> encrypt and sign the arguments generated in a GET method to avoid either

> replaying or injecting bad data to geeklog. Nevertheless, all data should be

> validated/sanitized prior to use.

> 

> regards,

> Drago

> 

> Quoting Tony Bibbs <tony at tonybibbs.com>:

> 

> 

>>the problem is the journal name has a single quote (') in it.  Change 

>>"Chris' Journal" to "Chris Journal" and all  would be well.

>>

>>--Tony

>>

>>Chris Besignano wrote:

>>

>>>Hello,

>>>

>>>I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a new 

>>>topic, but left a space in the topic id. Now I get this SQL error and 

>>>cannot access any part of the site. What can I do to recover from this? 

>>>Below is a section of my error log.

>>>

>>>

>>>Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL syntax 

>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 

>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 

>>>'Chris'Journal')

>>>Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL syntax 

>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 

>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 

>>>'Chris'Journal')

>>>Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL syntax 

>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 

>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 

>>>'Chris'Journal')

>>>Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL syntax 

>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 

>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 

>>>'Chris'Journal')

>>>

>>>_______________________________________________

>>>geeklog-users mailing list

>>>geeklog-users at lists.geeklog.net

>>>http://lists.geeklog.net/listinfo/geeklog-users

>>

>>_______________________________________________

>>geeklog-users mailing list

>>geeklog-users at lists.geeklog.net

>>http://lists.geeklog.net/listinfo/geeklog-users

>>

> 

> 

> 

> _______________________________________________

> geeklog-users mailing list

> geeklog-users at lists.geeklog.net

> http://lists.geeklog.net/listinfo/geeklog-users