[geeklog-users] An SQL error has occured
Chris Besignano
chris at linsoftlabs.com
Fri Feb 27 09:17:57 EST 2004
I am not using the Journal Plugin. Just staight-up geeklog. The topic I
was creating just happened to include the word Journal.
Tony Bibbs wrote:
> Again, note that the *fix* will happen in the journal plugin's code.
> If you find it and fix it please send the fix to
> geeklog-devtalk at lists.geeklog.net. Thanks for looking into this...
>
> --Tony
>
> Chris Besignano wrote:
>
>> I realized why the error occured but was unable to resolve the issue.
>> Geeklog simply locked up and kept returning the SQL error no matter
>> which page I accessed. I agree that this is something that should be
>> validated. It shouldn't be much work to make it happen, maybe I'll
>> poke at it this weekend and add some validation code. Who do I send
>> my changes to?
>>
>> Chris Besignano
>>
>> Drago Goricanec wrote:
>>
>>> This is something geeklog should protect against. Either escape the
>>> data, or
>>> validate it prior to injecting it into SQL. If there are plans to do
>>> this in a
>>> future version that's fine, but I don't think it's reasonable for
>>> geeklog to
>>> expect users to provide it with valid data.
>>>
>>> The other thing I would suggest is that either we always use POST
>>> methods, or
>>> encrypt and sign the arguments generated in a GET method to avoid
>>> either
>>> replaying or injecting bad data to geeklog. Nevertheless, all data
>>> should be
>>> validated/sanitized prior to use.
>>>
>>> regards,
>>> Drago
>>>
>>> Quoting Tony Bibbs <tony at tonybibbs.com>:
>>>
>>>
>>>
>>>> the problem is the journal name has a single quote (') in it.
>>>> Change "Chris' Journal" to "Chris Journal" and all would be well.
>>>>
>>>> --Tony
>>>>
>>>> Chris Besignano wrote:
>>>>
>>>>
>>>>> Hello,
>>>>>
>>>>> I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a
>>>>> new topic, but left a space in the topic id. Now I get this SQL
>>>>> error and cannot access any part of the site. What can I do to
>>>>> recover from this? Below is a section of my error log.
>>>>>
>>>>>
>>>>> Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL
>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT
>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date
>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>> Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL
>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT
>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date
>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>> Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL
>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT
>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date
>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>> Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL
>>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT
>>>>> count(*) AS count FROM gl_stories WHERE (draft_flag = 0) AND (date
>>>>> <= NOW()) AND (tid = 'Chris'Journal')
>>>>>
>>>>> _______________________________________________
>>>>> geeklog-users mailing list
>>>>> geeklog-users at lists.geeklog.net
>>>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> geeklog-users mailing list
>>>> geeklog-users at lists.geeklog.net
>>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> geeklog-users mailing list
>>> geeklog-users at lists.geeklog.net
>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>
>>>
>>>
>>
>> _______________________________________________
>> geeklog-users mailing list
>> geeklog-users at lists.geeklog.net
>> http://lists.geeklog.net/listinfo/geeklog-users
>
> _______________________________________________
> geeklog-users mailing list
> geeklog-users at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-users
>
More information about the geeklog-users
mailing list