[geeklog-users] An SQL error has occured
Tony Bibbs
tony at tonybibbs.com
Fri Feb 27 09:07:53 EST 2004
Again, note that the *fix* will happen in the journal plugin's code. If
you find it and fix it please send the fix to
geeklog-devtalk at lists.geeklog.net. Thanks for looking into this...
--Tony
Chris Besignano wrote:
> I realized why the error occured but was unable to resolve the issue.
> Geeklog simply locked up and kept returning the SQL error no matter
> which page I accessed. I agree that this is something that should be
> validated. It shouldn't be much work to make it happen, maybe I'll poke
> at it this weekend and add some validation code. Who do I send my
> changes to?
>
> Chris Besignano
>
> Drago Goricanec wrote:
>
>> This is something geeklog should protect against. Either escape the
>> data, or
>> validate it prior to injecting it into SQL. If there are plans to do
>> this in a
>> future version that's fine, but I don't think it's reasonable for
>> geeklog to
>> expect users to provide it with valid data.
>>
>> The other thing I would suggest is that either we always use POST
>> methods, or
>> encrypt and sign the arguments generated in a GET method to avoid either
>> replaying or injecting bad data to geeklog. Nevertheless, all data
>> should be
>> validated/sanitized prior to use.
>>
>> regards,
>> Drago
>>
>> Quoting Tony Bibbs <tony at tonybibbs.com>:
>>
>>
>>
>>> the problem is the journal name has a single quote (') in it. Change
>>> "Chris' Journal" to "Chris Journal" and all would be well.
>>>
>>> --Tony
>>>
>>> Chris Besignano wrote:
>>>
>>>
>>>> Hello,
>>>>
>>>> I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a new
>>>> topic, but left a space in the topic id. Now I get this SQL error
>>>> and cannot access any part of the site. What can I do to recover
>>>> from this? Below is a section of my error log.
>>>>
>>>>
>>>> Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL
>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT count(*)
>>>> AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW())
>>>> AND (tid = 'Chris'Journal')
>>>> Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL
>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT count(*)
>>>> AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW())
>>>> AND (tid = 'Chris'Journal')
>>>> Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL
>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT count(*)
>>>> AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW())
>>>> AND (tid = 'Chris'Journal')
>>>> Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL
>>>> syntax near 'Journal')' at line 1. SQL in question: SELECT count(*)
>>>> AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW())
>>>> AND (tid = 'Chris'Journal')
>>>>
>>>> _______________________________________________
>>>> geeklog-users mailing list
>>>> geeklog-users at lists.geeklog.net
>>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>>
>>>
>>> _______________________________________________
>>> geeklog-users mailing list
>>> geeklog-users at lists.geeklog.net
>>> http://lists.geeklog.net/listinfo/geeklog-users
>>>
>>>
>>
>>
>>
>> _______________________________________________
>> geeklog-users mailing list
>> geeklog-users at lists.geeklog.net
>> http://lists.geeklog.net/listinfo/geeklog-users
>>
>>
>>
>
> _______________________________________________
> geeklog-users mailing list
> geeklog-users at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-users
More information about the geeklog-users
mailing list