Again, note that the *fix* will happen in the journal plugin's code. If
you find it and fix it please send the fix to
[EMAIL PROTECTED] Thanks for looking into this...
--Tony
Chris Besignano wrote:
I realized why the error occured but was unable to resolve the issue.
Geeklog simply locked up and kept returning the SQL error no matter
which page I accessed. I agree that this is something that should be
validated. It shouldn't be much work to make it happen, maybe I'll poke
at it this weekend and add some validation code. Who do I send my
changes to?
Chris Besignano
Drago Goricanec wrote:
This is something geeklog should protect against. Either escape the
data, or
validate it prior to injecting it into SQL. If there are plans to do
this in a
future version that's fine, but I don't think it's reasonable for
geeklog to
expect users to provide it with valid data.
The other thing I would suggest is that either we always use POST
methods, or
encrypt and sign the arguments generated in a GET method to avoid either
replaying or injecting bad data to geeklog. Nevertheless, all data
should be
validated/sanitized prior to use.
regards,
Drago
Quoting Tony Bibbs <[EMAIL PROTECTED]>:
the problem is the journal name has a single quote (') in it. Change
"Chris' Journal" to "Chris Journal" and all would be well.
--Tony
Chris Besignano wrote:
Hello,
I am runnning geeklog 1.3.8-lsr4 on linux. I attempted to add a new
topic, but left a space in the topic id. Now I get this SQL error
and cannot access any part of the site. What can I do to recover
from this? Below is a section of my error log.
Thu Feb 26 09:51:31 2004 - 1064: You have an error in your SQL
syntax near 'Journal')' at line 1. SQL in question: SELECT count(*)
AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW())
AND (tid = 'Chris'Journal')
Thu Feb 26 09:51:46 2004 - 1064: You have an error in your SQL
syntax near 'Journal')' at line 1. SQL in question: SELECT count(*)
AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW())
AND (tid = 'Chris'Journal')
Thu Feb 26 09:51:52 2004 - 1064: You have an error in your SQL
syntax near 'Journal')' at line 1. SQL in question: SELECT count(*)
AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW())
AND (tid = 'Chris'Journal')
Thu Feb 26 09:51:56 2004 - 1064: You have an error in your SQL
syntax near 'Journal')' at line 1. SQL in question: SELECT count(*)
AS count FROM gl_stories WHERE (draft_flag = 0) AND (date <= NOW())
AND (tid = 'Chris'Journal')
_______________________________________________
geeklog-users mailing list
[EMAIL PROTECTED]
http://lists.geeklog.net/listinfo/geeklog-users
_______________________________________________
geeklog-users mailing list
[EMAIL PROTECTED]
http://lists.geeklog.net/listinfo/geeklog-users
_______________________________________________
geeklog-users mailing list
[EMAIL PROTECTED]
http://lists.geeklog.net/listinfo/geeklog-users
_______________________________________________
geeklog-users mailing list
[EMAIL PROTECTED]
http://lists.geeklog.net/listinfo/geeklog-users
