Drago, yes, I realize that. Please note that this *isn't* a geeklog
problem, it is a problem with the journal plugin that I wrote. It's up
to each individual plugin to handle their DB interaction. When I get
around to it I'll make the fix, I just wanted to provide you the short
term fix to your problem.
--Tony
Drago Goricanec wrote:
This is something geeklog should protect against. Either escape the data, or
validate it prior to injecting it into SQL. If there are plans to do this in a
future version that's fine, but I don't think it's reasonable for geeklog to
expect users to provide it with valid data.
The other thing I would suggest is that either we always use POST methods, or
encrypt and sign the arguments generated in a GET method to avoid either
replaying or injecting bad data to geeklog. Nevertheless, all data should be
validated/sanitized prior to use.
regards,
Drago
Quoting Tony Bibbs <[EMAIL PROTECTED]>:
the problem is the journal name has a single quote (') in it. Change
"Chris' Journal" to "Chris Journal" and all would be well.
--Tony
Chris Besignano wrote:
Hello,
I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a new
topic, but left a space in the topic id. Now I get this SQL error and
cannot access any part of the site. What can I do to recover from this?
Below is a section of my error log.
Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL syntax
near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count
FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid =
'Chris'Journal')
Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL syntax
near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count
FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid =
'Chris'Journal')
Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL syntax
near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count
FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid =
'Chris'Journal')
Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL syntax
near 'Journal')' at line 1. SQL in question: SELECT count(*) AS count
FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid =
'Chris'Journal')
_______________________________________________
geeklog-users mailing list
[EMAIL PROTECTED]
http://lists.geeklog.net/listinfo/geeklog-users
_______________________________________________
geeklog-users mailing list
[EMAIL PROTECTED]
http://lists.geeklog.net/listinfo/geeklog-users
_______________________________________________
geeklog-users mailing list
[EMAIL PROTECTED]
http://lists.geeklog.net/listinfo/geeklog-users
