[geeklog-users] An SQL error has occured

[Tony Bibbs]

Again, note that the *fix* will happen in the journal plugin's code.  If 
you find it and fix it please send the fix to 
geeklog-devtalk at lists.geeklog.net.  Thanks for looking into this...

--Tony

Chris Besignano wrote:

> I realized why the error occured but was unable to resolve the issue. 

> Geeklog simply locked up and kept returning the SQL error no matter 

> which page I accessed. I agree that this is something that should be 

> validated. It shouldn't be much work to make it happen, maybe I'll poke 

> at it this weekend and add some validation code. Who do I send my 

> changes to?

> 

> Chris Besignano

> 

> Drago Goricanec wrote:

> 

>> This is something geeklog should protect against. Either escape the 

>> data, or

>> validate it prior to injecting it into SQL. If there are plans to do 

>> this in a

>> future version that's fine, but I don't think it's reasonable for 

>> geeklog to

>> expect users to provide it with valid data.

>>

>> The other thing I would suggest is that either we always use POST 

>> methods, or

>> encrypt and sign the arguments generated in a GET method to avoid either

>> replaying or injecting bad data to geeklog. Nevertheless, all data 

>> should be

>> validated/sanitized prior to use.

>>

>> regards,

>> Drago

>>

>> Quoting Tony Bibbs <tony at tonybibbs.com>:

>>

>>  

>>

>>> the problem is the journal name has a single quote (') in it.  Change 

>>> "Chris' Journal" to "Chris Journal" and all  would be well.

>>>

>>> --Tony

>>>

>>> Chris Besignano wrote:

>>>   

>>>

>>>> Hello,

>>>>

>>>> I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a new 

>>>> topic, but left a space in the topic id. Now I get this SQL error 

>>>> and cannot access any part of the site. What can I do to recover 

>>>> from this? Below is a section of my error log.

>>>>

>>>>

>>>> Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL 

>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT count(*) 

>>>> AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) 

>>>> AND (tid = 'Chris'Journal')

>>>> Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL 

>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT count(*) 

>>>> AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) 

>>>> AND (tid = 'Chris'Journal')

>>>> Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL 

>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT count(*) 

>>>> AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) 

>>>> AND (tid = 'Chris'Journal')

>>>> Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL 

>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT count(*) 

>>>> AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) 

>>>> AND (tid = 'Chris'Journal')

>>>>

>>>> _______________________________________________

>>>> geeklog-users mailing list

>>>> geeklog-users at lists.geeklog.net

>>>> http://lists.geeklog.net/listinfo/geeklog-users

>>>>     

>>>

>>> _______________________________________________

>>> geeklog-users mailing list

>>> geeklog-users at lists.geeklog.net

>>> http://lists.geeklog.net/listinfo/geeklog-users

>>>

>>>   

>>

>>

>>

>> _______________________________________________

>> geeklog-users mailing list

>> geeklog-users at lists.geeklog.net

>> http://lists.geeklog.net/listinfo/geeklog-users

>>

>>  

>>

> 

> _______________________________________________

> geeklog-users mailing list

> geeklog-users at lists.geeklog.net

> http://lists.geeklog.net/listinfo/geeklog-users