[geeklog-users] An SQL error has occured

Fri Feb 27 09:17:57 EST 2004

I am not using the Journal Plugin. Just staight-up geeklog. The topic I 
was creating just happened to include the word Journal.

Tony Bibbs wrote:

> Again, note that the *fix* will happen in the journal plugin's code.  
> If you find it and fix it please send the fix to 
> geeklog-devtalk at lists.geeklog.net.  Thanks for looking into this...
>
> --Tony
>
> Chris Besignano wrote:
>
>> I realized why the error occured but was unable to resolve the issue. 
>> Geeklog simply locked up and kept returning the SQL error no matter 
>> which page I accessed. I agree that this is something that should be 
>> validated. It shouldn't be much work to make it happen, maybe I'll 
>> poke at it this weekend and add some validation code. Who do I send 
>> my changes to?
>>
>> Chris Besignano
>>
>> Drago Goricanec wrote:
>>
>>> This is something geeklog should protect against. Either escape the 
>>> data, or
>>> validate it prior to injecting it into SQL. If there are plans to do 
>>> this in a
>>> future version that's fine, but I don't think it's reasonable for 
>>> geeklog to
>>> expect users to provide it with valid data.
>>>
>>> The other thing I would suggest is that either we always use POST 
>>> methods, or
>>> encrypt and sign the arguments generated in a GET method to avoid 
>>> either
>>> replaying or injecting bad data to geeklog. Nevertheless, all data 
>>> should be
>>> validated/sanitized prior to use.
>>>
>>> regards,
>>> Drago
>>>
>>> Quoting Tony Bibbs <tony at tonybibbs.com>:
>>>
>>>  
>>>
>>>> the problem is the journal name has a single quote (') in it.  
>>>> Change "Chris' Journal" to "Chris Journal" and all  would be well.
>>>>
>>>> --Tony
>>>>
>>>> Chris Besignano wrote:
>>>>  
>>>>
>>>>> Hello,
>>>>>
>>>>> I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a 
>>>>> new topic, but left a space in the topic id. Now I get this SQL 
>>>>> error and cannot access any part of the site. What can I do to 
>>>>> recover from this? Below is a section of my error log.
>>>>>
>>>>>
>>>>> Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL 
>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT 
>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date 
>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>> Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL 
>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT 
>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date 
>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>> Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL 
>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT 
>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date 
>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>> Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL 
>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT 
>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date 
>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>>
>>>>> _______________________________________________
>>>>> geeklog-users mailing list
>>>>> geeklog-users at lists.geeklog.net
>>>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>>>     
>>>>
>>>>
>>>> _______________________________________________
>>>> geeklog-users mailing list
>>>> geeklog-users at lists.geeklog.net
>>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>>
>>>>   
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> geeklog-users mailing list
>>> geeklog-users at lists.geeklog.net
>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>
>>>  
>>>
>>
>> _______________________________________________
>> geeklog-users mailing list
>> geeklog-users at lists.geeklog.net
>> http://lists.geeklog.net/listinfo/geeklog-users
>
> _______________________________________________
> geeklog-users mailing list
> geeklog-users at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-users
>