[geeklog-users] An SQL error has occured

Tony Bibbs tony at tonybibbs.com
Fri Feb 27 09:06:45 EST 2004


Drago, yes, I realize that.  Please note that this *isn't* a geeklog 
problem, it is a problem with the journal plugin that I wrote.  It's up 
to each individual plugin to handle their DB interaction.  When I get 
around to it I'll make the fix, I just wanted to provide you the short 
term fix to your problem.

--Tony

Drago Goricanec wrote:
> This is something geeklog should protect against. Either escape the data, or
> validate it prior to injecting it into SQL. If there are plans to do this in a
> future version that's fine, but I don't think it's reasonable for geeklog to
> expect users to provide it with valid data.
> 
> The other thing I would suggest is that either we always use POST methods, or
> encrypt and sign the arguments generated in a GET method to avoid either
> replaying or injecting bad data to geeklog. Nevertheless, all data should be
> validated/sanitized prior to use.
> 
> regards,
> Drago
> 
> Quoting Tony Bibbs <tony at tonybibbs.com>:
> 
> 
>>the problem is the journal name has a single quote (') in it.  Change 
>>"Chris' Journal" to "Chris Journal" and all  would be well.
>>
>>--Tony
>>
>>Chris Besignano wrote:
>>
>>>Hello,
>>>
>>>I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a new 
>>>topic, but left a space in the topic id. Now I get this SQL error and 
>>>cannot access any part of the site. What can I do to recover from this? 
>>>Below is a section of my error log.
>>>
>>>
>>>Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL syntax 
>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
>>>'Chris'Journal')
>>>Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL syntax 
>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
>>>'Chris'Journal')
>>>Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL syntax 
>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
>>>'Chris'Journal')
>>>Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL syntax 
>>>near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count 
>>>FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid = 
>>>'Chris'Journal')
>>>
>>>_______________________________________________
>>>geeklog-users mailing list
>>>geeklog-users at lists.geeklog.net
>>>http://lists.geeklog.net/listinfo/geeklog-users
>>
>>_______________________________________________
>>geeklog-users mailing list
>>geeklog-users at lists.geeklog.net
>>http://lists.geeklog.net/listinfo/geeklog-users
>>
> 
> 
> 
> _______________________________________________
> geeklog-users mailing list
> geeklog-users at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-users



More information about the geeklog-users mailing list