Re: [Mediawiki-l] Cleansing database for launch

List overview All Threads
Download

newer

older

Mediawiki Ldap Integration Login...

How does one add meta tags to the...

Jack Eapen C

23 Oct 2007 23 Oct '07

5:05 p.m.

Hi Why don't you try http://www.mediawiki.org/wiki/Extension:SpecialDeleteOldRevisions I'm using it and works fine. Just give %% for all the articles and give date as today. It'll delete all revisions upto this date except the current revision. Regards, Jack Eapen ---------------------------------------------------------------- "People forget how fast you did a job - but they remember how well you did it" -----Original Message----- From: mediawiki-l-bounces(a)lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Paul Coghlan Sent: Tuesday, October 23, 2007 5:21 PM To: MediaWiki announcements and site admin list Subject: [Mediawiki-l] Cleansing database for launch I am once again returning to the task or cleaning the database prior to a launch. We have several hundred thousand pages and up to 20-30 revisions per page. I need to strip all revisions prior to the current one to effectively clear the history for each page. I know from a previous message from Rob that the DeleteOldRevisions.php script a bad way to go and may give unexpected results so I am tackling this directly in SQL. It would appear that deleting all entries in tblrevision EXCEPT the latest (i.e. chronologically latest rev_timestamp) and each of the associated entries in the text table (where revision.rev_text_id=text.old_id) is the way to go. Does this look like it will give me what I am looking for, deleting all revisions/txt except the latest? Is there anything else I need to delete to clean the database? Bearing in mind this site is pre-launch and has nothing other than straight forward textual pages, albeit a lot of them. Thanks, Paul _______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l This electronic mail (including any attachment thereto) may be confidential and privileged and is intended only for the individual or entity named above. Any unauthorized use, printing, copying, disclosure or dissemination of this communication may be subject to legal restriction or sanction. Accordingly, if you are not the intended recipient, please notify the sender by replying to this email immediately and delete this email (and any attachment thereto) from your computer system...Thank You

Show replies by date

Paul Coghlan

23 Oct 23 Oct

5:13 p.m.

New subject: [Mediawiki-l] Cleansing database for launch

Jack Thanks for the fast reply. Looks to be just the ticket! I will download it this morning. Paul On 10/23/07 8:05 AM, "Jack Eapen C" <jackec(a)suntecgroup.com> wrote:

...

Paul Coghlan

6:51 p.m.

New subject: [Mediawiki-l] Cleansing database for launch

Jack Unfortunately this script will not work if you have page titles with a ' in them, such as "Christie's" etc. Thanks anyway, Paul On 10/23/07 8:05 AM, "Jack Eapen C" <jackec(a)suntecgroup.com> wrote:

...

Marko Milisavljevic

11:51 p.m.

New subject: [Mediawiki-l] Cleansing database for launch

Try replacing: $arc[] = "'" . $row->page_title . "'"; with: $arc[] = $dbw->addQuotes($row->page_title); On 10/23/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:

...

confidential

and privileged and is intended only for the individual or entity named

above.

Any unauthorized use, printing, copying, disclosure or dissemination of

this

communication may be subject to legal restriction or sanction.

Accordingly, if

you are not the intended recipient, please notify the sender by replying

this email immediately and delete this email (and any attachment

thereto) from

your computer system...Thank You _______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Platonides

24 Oct 24 Oct

2 a.m.

New subject: [Mediawiki-l] Cleansing database for launch

Marko Milisavljevic wrote:

...

Try replacing: $arc[] = "'" . $row->page_title . "'"; with: $arc[] = $dbw->addQuotes($row->page_title);

Creating a two revision page about ';DROP TABLE user; -- http://xkcd.com/327/ ;)

Marko Milisavljevic

3:52 a.m.

New subject: [Mediawiki-l] Cleansing database for launch

No kidding! I don't have time unfortunately to play with it too much, but I added some pointers to the talk page: http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteOldRevisions#A_fe… On 10/23/07, Platonides <Platonides(a)gmail.com> wrote:

...

Marko Milisavljevic wrote:

Try replacing: $arc[] = "'" . $row->page_title . "'"; with: $arc[] = $dbw->addQuotes($row->page_title);

Creating a two revision page about ';DROP TABLE user; -- http://xkcd.com/327/ ;) _______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Paul Coghlan

6:43 a.m.

New subject: [Mediawiki-l] Cleansing database for launch

Marko Sorry to say it but I changed the text as per your email but still get the same database error?? Paul On 10/23/07 6:52 PM, "Marko Milisavljevic" <marko(a)cognistudio.com> wrote:

...

No kidding! I don't have time unfortunately to play with it too much, but I added some pointers to the talk page: http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteOldRevisions#A_fe… erious_errors_and_security_concerns On 10/23/07, Platonides <Platonides(a)gmail.com> wrote:

Marko Milisavljevic wrote:

Try replacing: $arc[] = "'" . $row->page_title . "'"; with: $arc[] = $dbw->addQuotes($row->page_title);

_______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Marko Milisavljevic

8:08 a.m.

New subject: [Mediawiki-l] Cleansing database for launch

What does it say? Is it kicking out a bad SQL statement? Can you post it here? On 10/23/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:

...

Marko Sorry to say it but I changed the text as per your email but still get the same database error?? Paul On 10/23/07 6:52 PM, "Marko Milisavljevic" <marko(a)cognistudio.com> wrote:

No kidding! I don't have time unfortunately to play with it too much,

but I

added some pointers to the talk page: http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteO

ldRevisions#A_few_s

erious_errors_and_security_concerns On 10/23/07, Platonides <Platonides(a)gmail.com> wrote:

Marko Milisavljevic wrote:

Try replacing: $arc[] = "'" . $row->page_title . "'"; with: $arc[] = $dbw->addQuotes($row->page_title);

_______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Paul Coghlan

4:14 p.m.

New subject: [Mediawiki-l] Cleansing database for launch

Marko Here you go. It is identical the one I had before. TO be clear, I downloaded V1.3 of the extension and the only change I made was half way down the page as per your replacement. Here is the error... Database error A database query syntax error has occurred. This may indicate a bug in the software. The last attempted database query was: (SQL query hidden) from within function "". MySQL returned error "1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's_Army_(British_Army)', 'D\'Aguilar,_Queensland', 'D\'Arcy,_British_Columbia' at line 1 (localhost)". It basically froze at the ' in King's although the D\' in the following entries looks a little odd. I don't remember seeing those before? The 'D\'Aguilar,_Queensland' you see here is a page called D'Aguilar, Queensland. Thanks for any help you can provide. Paul // Add all current pages, so we do not delete their logging information $sql = "SELECT page_title FROM $tbl_pag WHERE page_title like '$pagename'"; if ( $namespace != -100 ) $sql .= " AND page_namespace = '$namespace'"; $res = $dbw->query( $sql ); while( $row = $dbw->fetchObject( $res ) ) { $arc[] = $dbw->addQuotes($row->page_title); On 10/23/07 11:08 PM, "Marko Milisavljevic" <marko(a)cognistudio.com> wrote:

...

What does it say? Is it kicking out a bad SQL statement? Can you post it here? On 10/23/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:

Marko Sorry to say it but I changed the text as per your email but still get the same database error?? Paul On 10/23/07 6:52 PM, "Marko Milisavljevic" <marko(a)cognistudio.com> wrote:

No kidding! I don't have time unfortunately to play with it too much,

but I

added some pointers to the talk page: http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteO

ldRevisions#A_few_s

erious_errors_and_security_concerns On 10/23/07, Platonides <Platonides(a)gmail.com> wrote:

Marko Milisavljevic wrote: > Try replacing: > > $arc[] = "'" . $row->page_title . "'"; > > with: > > $arc[] = $dbw->addQuotes($row->page_title); Creating a two revision page about ';DROP TABLE user; -- http://xkcd.com/327/ ;) _______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Marko Milisavljevic

25 Oct 25 Oct

1:35 a.m.

New subject: [Mediawiki-l] Cleansing database for launch

Paul, \' are result of addQuote - it will convert a string like D'Arcy into 'D\'Arcy', so it can be used as a literal in SQL statements, as in where name = 'D\'Arcy'. It protects against sql injection attacks - if you were to enter, say, "hello'; drop table users; select 'x" , as search term it makes a big difference if the resulting query is .... where name = 'hello'; drop table users; select 'x' or ... where name = 'hello\'; drop table users; select \'x' - one drops table "users", the other one doesn't, even though both are technically correct and will execute. I assume King's is not getting the \ before '? I can't tell unless I see the whole SQL statement. You can sanitize it as needed to protect sensitive information, but since the database layout is public, and queries are plainly written in source code of this extension, posting the whole query shouldn't be a security concern. Marko On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:

...

What does it say? Is it kicking out a bad SQL statement? Can you post it here? On 10/23/07, Paul Coghlan <pcoghlan(a)usa.net> wrote: > > Marko > > Sorry to say it but I changed the text as per your email but still get

the

> same database error?? > > Paul > > > On 10/23/07 6:52 PM, "Marko Milisavljevic" <marko(a)cognistudio.com>

wrote:

No kidding! I don't have time unfortunately to play with it too much,

but I

added some pointers to the talk page: http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteO

ldRevisions#A_few_s

erious_errors_and_security_concerns On 10/23/07, Platonides <Platonides(a)gmail.com> wrote: > > Marko Milisavljevic wrote: >> Try replacing: >> >> $arc[] = "'" . $row->page_title . "'"; >> >> with: >> >> $arc[] = $dbw->addQuotes($row->page_title); > > > Creating a two revision page about ';DROP TABLE user; -- > http://xkcd.com/327/ ;) > > > _______________________________________________ > MediaWiki-l mailing list > MediaWiki-l(a)lists.wikimedia.org > http://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Paul Coghlan

1:53 a.m.

New subject: [Mediawiki-l] Cleansing database for launch

Marko I have absolutely no problem posting the query but I don't get to see it. If there is a way to do so I am more than happy to provide it. I am entering K% in the page name text box in Special:DeleteOldRevisions and getting the error below: Database error A database query syntax error has occurred. This may indicate a bug in the software. The last attempted database query was: (SQL query hidden) from within function "". MySQL returned error "1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's_Own_Royal_Border_Regiment_(British_Army)', 'King's_Own_Scottish_Borderers_(Bri' at line 1 (localhost)". Interestingly the ' is not being replaced with the /' When I run it for D% I get: Database error A database query syntax error has occurred. This may indicate a bug in the software. The last attempted database query was: (SQL query hidden) from within function "". MySQL returned error "1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's_Regiment_(British_Army)', 'D\'Aguilar,_Queensland', 'D\'Arcy,_British_Columbia' at line 1 (localhost)". So, in the instance of the K replacement none of the ' symbols are being replaced and in the D example one of them is not. I am mystified as to why one ' would be replaced and not another???? Paul On 10/24/07 4:35 PM, "Marko Milisavljevic" <marko(a)cognistudio.com> wrote:

...

the

> same database error?? > > Paul > > > On 10/23/07 6:52 PM, "Marko Milisavljevic" <marko(a)cognistudio.com>

wrote:

> No kidding! I don't have time unfortunately to play with it too much, but I > added some pointers to the talk page: > > http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteO ldRevisions#A_few_s > erious_errors_and_security_concerns > > > On 10/23/07, Platonides <Platonides(a)gmail.com> wrote: >> >> Marko Milisavljevic wrote: >>> Try replacing: >>> >>> $arc[] = "'" . $row->page_title . "'"; >>> >>> with: >>> >>> $arc[] = $dbw->addQuotes($row->page_title); >> >> >> Creating a two revision page about ';DROP TABLE user; -- >> http://xkcd.com/327/ ;) >> >> >> _______________________________________________ >> MediaWiki-l mailing list >> MediaWiki-l(a)lists.wikimedia.org >> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l >> > _______________________________________________ > MediaWiki-l mailing list > MediaWiki-l(a)lists.wikimedia.org > http://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Marko Milisavljevic

2:05 a.m.

New subject: [Mediawiki-l] Cleansing database for launch

Ah, I thought you were hiding SQL queries, didn't realize this was your actual output. On my MediaWiki installation, I get full SQL queries dumped out - forget how I turned that on. Alas, there are few more changes to be made to the code... there are around 8 places where SQL queries are being formed like ... " something = '$pagename' " - this then becomes " something = 'D'Arcy' " - that's no good. We want to change it to " something = ".$dbw->addQuotes($pagename), which gives us " something = 'D\'Arcy' ". Just do a search and replace as follows: '$pagename'" (replace with) ".$dbw->addQuotes($pagename) '$pagename' (replace with) ".$dbw->addQuotes($pagename)." Do it exactly as typed, including quotes. If you search for '$pagename' after this, including single quotes, you shouldn't find any. On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:

...

were to

enter, say, "hello'; drop table users; select 'x" , as search term it

makes

a big difference if the resulting query is .... where name = 'hello';

drop

table users; select 'x' or ... where name = 'hello\'; drop table users; select \'x' - one drops table "users", the other one doesn't, even

though

both are technically correct and will execute. I assume King's is not getting the \ before '? I can't tell unless I see

the

whole SQL statement. You can sanitize it as needed to protect sensitive information, but since the database layout is public, and queries are plainly written in source code of this extension, posting the whole

query

shouldn't be a security concern. Marko On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote: > > Marko > > Here you go. It is identical the one I had before. TO be clear, I > downloaded > V1.3 of the extension and the only change I made was half way down the > page > as per your replacement. > > Here is the error... > > Database error > A database query syntax error has occurred. This may indicate a bug in

the

> software. The last attempted database query was: > > (SQL query hidden) > > from within function "". MySQL returned error "1064: You have an error

> your SQL syntax; check the manual that corresponds to your MySQL server > version for the right syntax to use near 's_Army_(British_Army)', > 'D\'Aguilar,_Queensland', 'D\'Arcy,_British_Columbia' at line 1 > (localhost)". > > It basically froze at the ' in King's although the D\' in the following > entries looks a little odd. I don't remember seeing those before? > > The 'D\'Aguilar,_Queensland' you see here is a page called D'Aguilar, > Queensland. > > Thanks for any help you can provide. > > Paul > > > > // Add all current pages, so we do not delete their logging > information > > $sql = "SELECT page_title FROM $tbl_pag WHERE page_title

> '$pagename'"; > > if ( $namespace != -100 ) $sql .= " AND page_namespace = > '$namespace'"; > > $res = $dbw->query( $sql ); > > while( $row = $dbw->fetchObject( $res ) ) { > > $arc[] = $dbw->addQuotes($row->page_title); > > > > > > > > On 10/23/07 11:08 PM, "Marko Milisavljevic" <marko(a)cognistudio.com>

wrote:

> >> What does it say? Is it kicking out a bad SQL statement? Can you post

>> here? >> >> On 10/23/07, Paul Coghlan <pcoghlan(a)usa.net> wrote: >>> >>> Marko >>> >>> Sorry to say it but I changed the text as per your email but still

get

> the >>> same database error?? >>> >>> Paul >>> >>> >>> On 10/23/07 6:52 PM, "Marko Milisavljevic" <marko(a)cognistudio.com> > wrote: >>> >>>> No kidding! I don't have time unfortunately to play with it too

much,

> but I >> added some pointers to the talk page: >> >> http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteO > ldRevisions#A_few_s >> erious_errors_and_security_concerns >> >> >> On 10/23/07, Platonides <Platonides(a)gmail.com> wrote: >>> >>> Marko Milisavljevic wrote: >>>> Try replacing: >>>> >>>> $arc[] = "'" . $row->page_title . "'"; >>>> >>>> with: >>>> >>>> $arc[] = $dbw->addQuotes($row->page_title); >>> >>> >>> Creating a two revision page about ';DROP TABLE user; -- >>> http://xkcd.com/327/ ;) >>> >>> >>> _______________________________________________ >>> MediaWiki-l mailing list >>> MediaWiki-l(a)lists.wikimedia.org >>> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l >>> >> _______________________________________________ >> MediaWiki-l mailing list >> MediaWiki-l(a)lists.wikimedia.org >> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l >> > > > > > _______________________________________________ > MediaWiki-l mailing list > MediaWiki-l(a)lists.wikimedia.org > http://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Paul Coghlan

2:52 a.m.

New subject: [Mediawiki-l] Cleansing database for launch

Marko Replaced those string and can confirm I have no occurrences of '$pagename'. I still saw the issue so had a play to try to get more information. By de-selecting the "Delete Archived Articles too" checkbox everything runs OK. So, I have managed to delete all old versions except those manually deleted but still present in text/revision and even then only for the D% K% P% and Q% strings. No idea why this wont work but with 95% of my pages removed I am happy enough for now. If this prompts a new thought shout and I will try to get rid of the final 1700 pages. I do appreciate the time you took to provide the info, many many thanks! Paul On 10/24/07 5:05 PM, "Marko Milisavljevic" <marko(a)cognistudio.com> wrote:

...

were to

enter, say, "hello'; drop table users; select 'x" , as search term it

makes

a big difference if the resulting query is .... where name = 'hello';

drop

table users; select 'x' or ... where name = 'hello\'; drop table users; select \'x' - one drops table "users", the other one doesn't, even

though

both are technically correct and will execute. I assume King's is not getting the \ before '? I can't tell unless I see

the

query

the

> software. The last attempted database query was: > > (SQL query hidden) > > from within function "". MySQL returned error "1064: You have an error

wrote:

> >> What does it say? Is it kicking out a bad SQL statement? Can you post

>> here? >> >> On 10/23/07, Paul Coghlan <pcoghlan(a)usa.net> wrote: >>> >>> Marko >>> >>> Sorry to say it but I changed the text as per your email but still

get

much,

>> but I >>> added some pointers to the talk page: >>> >>> http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteO >> ldRevisions#A_few_s >>> erious_errors_and_security_concerns >>> >>> >>> On 10/23/07, Platonides <Platonides(a)gmail.com> wrote: >>>> >>>> Marko Milisavljevic wrote: >>>>> Try replacing: >>>>> >>>>> $arc[] = "'" . $row->page_title . "'"; >>>>> >>>>> with: >>>>> >>>>> $arc[] = $dbw->addQuotes($row->page_title); >>>> >>>> >>>> Creating a two revision page about ';DROP TABLE user; -- >>>> http://xkcd.com/327/ ;) >>>> >>>> >>>> _______________________________________________ >>>> MediaWiki-l mailing list >>>> MediaWiki-l(a)lists.wikimedia.org >>>> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l >>>> >>> _______________________________________________ >>> MediaWiki-l mailing list >>> MediaWiki-l(a)lists.wikimedia.org >>> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l >>> >> >> >> >> >> _______________________________________________ >> MediaWiki-l mailing list >> MediaWiki-l(a)lists.wikimedia.org >> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l >> > _______________________________________________ > MediaWiki-l mailing list > MediaWiki-l(a)lists.wikimedia.org > http://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Marko Milisavljevic

3:22 a.m.

New subject: [Mediawiki-l] Cleansing database for launch

No problem. By the way, you can show SQL in error mesages by adding this to your LocalSettings.php: $wgShowSQLErrors = true; On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:

...

Ah, I thought you were hiding SQL queries, didn't realize this was your actual output. On my MediaWiki installation, I get full SQL queries

dumped

out - forget how I turned that on. Alas, there are few more changes to be made to the code... there are

around

8 places where SQL queries are being formed like ... " something = '$pagename' " - this then becomes " something = 'D'Arcy' " - that's no

good.

We want to change it to " something = ".$dbw->addQuotes($pagename),

which

gives us " something = 'D\'Arcy' ". Just do a search and replace as follows: '$pagename'" (replace with) ".$dbw->addQuotes($pagename) '$pagename' (replace with) ".$dbw->addQuotes($pagename)." Do it exactly as typed, including quotes. If you search for '$pagename' after this, including single quotes, you shouldn't find any. On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote: > > Marko > > I have absolutely no problem posting the query but I don't get to see

it.

> If > there is a way to do so I am more than happy to provide it. I am

entering

> K% > in the page name text box in Special:DeleteOldRevisions and getting the > error below: > > Database error > A database query syntax error has occurred. This may indicate a bug in

the

> software. The last attempted database query was: > > (SQL query hidden) > > from within function "". MySQL returned error "1064: You have an error

> your SQL syntax; check the manual that corresponds to your MySQL server > version for the right syntax to use near > 's_Own_Royal_Border_Regiment_(British_Army)', > 'King's_Own_Scottish_Borderers_(Bri' at line 1 (localhost)". > > Interestingly the ' is not being replaced with the /' > > When I run it for D% I get: > > Database error > A database query syntax error has occurred. This may indicate a bug in

the

> software. The last attempted database query was: > > (SQL query hidden) > > from within function "". MySQL returned error "1064: You have an error

> your SQL syntax; check the manual that corresponds to your MySQL server > version for the right syntax to use near 's_Regiment_(British_Army)', > 'D\'Aguilar,_Queensland', 'D\'Arcy,_British_Columbia' at line 1 > (localhost)". > > So, in the instance of the K replacement none of the ' symbols are

being

> replaced and in the D example one of them is not. > > I am mystified as to why one ' would be replaced and not another???? > > Paul > > On 10/24/07 4:35 PM, "Marko Milisavljevic" <marko(a)cognistudio.com>

wrote:

> >> Paul, >> >> \' are result of addQuote - it will convert a string like D'Arcy into >> 'D\'Arcy', so it can be used as a literal in SQL statements, as in

where

>> name = 'D\'Arcy'. It protects against sql injection attacks - if you > were to >> enter, say, "hello'; drop table users; select 'x" , as search term it > makes >> a big difference if the resulting query is .... where name = 'hello'; > drop >> table users; select 'x' or ... where name = 'hello\'; drop table

users;

>> select \'x' - one drops table "users", the other one doesn't, even > though >> both are technically correct and will execute. >> >> I assume King's is not getting the \ before '? I can't tell unless I

see

> the >> whole SQL statement. You can sanitize it as needed to protect

sensitive

>> information, but since the database layout is public, and queries are >> plainly written in source code of this extension, posting the whole > query >> shouldn't be a security concern. >> >> Marko >> >> On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote: >>> >>> Marko >>> >>> Here you go. It is identical the one I had before. TO be clear, I >>> downloaded >>> V1.3 of the extension and the only change I made was half way down

the

>>> page >>> as per your replacement. >>> >>> Here is the error... >>> >>> Database error >>> A database query syntax error has occurred. This may indicate a bug

> the >>> software. The last attempted database query was: >>> >>> (SQL query hidden) >>> >>> from within function "". MySQL returned error "1064: You have an

error

> in >>> your SQL syntax; check the manual that corresponds to your MySQL

server

>>> version for the right syntax to use near 's_Army_(British_Army)', >>> 'D\'Aguilar,_Queensland', 'D\'Arcy,_British_Columbia' at line 1 >>> (localhost)". >>> >>> It basically froze at the ' in King's although the D\' in the

following

>>> entries looks a little odd. I don't remember seeing those before? >>> >>> The 'D\'Aguilar,_Queensland' you see here is a page called D'Aguilar, >>> Queensland. >>> >>> Thanks for any help you can provide. >>> >>> Paul >>> >>> >>> >>> // Add all current pages, so we do not delete their

logging

>>> information >>> >>> $sql = "SELECT page_title FROM $tbl_pag WHERE page_title > like >>> '$pagename'"; >>> >>> if ( $namespace != -100 ) $sql .= " AND page_namespace = >>> '$namespace'"; >>> >>> $res = $dbw->query( $sql ); >>> >>> while( $row = $dbw->fetchObject( $res ) ) { >>> >>> $arc[] = $dbw->addQuotes($row->page_title); >>> >>> >>> >>> >>> >>> >>> >>> On 10/23/07 11:08 PM, "Marko Milisavljevic" <marko(a)cognistudio.com> > wrote: >>> >>>> What does it say? Is it kicking out a bad SQL statement? Can you

post

>> here? >> >> On 10/23/07, Paul Coghlan <pcoghlan(a)usa.net> wrote: >>> >>> Marko >>> >>> Sorry to say it but I changed the text as per your email but still

get

much,

>>> but I >>>> added some pointers to the talk page: >>>> >>>> http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteO >>> ldRevisions#A_few_s >>>> erious_errors_and_security_concerns >>>> >>>> >>>> On 10/23/07, Platonides <Platonides(a)gmail.com> wrote: >>>>> >>>>> Marko Milisavljevic wrote: >>>>>> Try replacing: >>>>>> >>>>>> $arc[] = "'" . $row->page_title . "'"; >>>>>> >>>>>> with: >>>>>> >>>>>> $arc[] = $dbw->addQuotes($row->page_title); >>>>> >>>>> >>>>> Creating a two revision page about ';DROP TABLE user; -- >>>>> http://xkcd.com/327/ ;) >>>>> >>>>> >>>>> _______________________________________________ >>>>> MediaWiki-l mailing list >>>>> MediaWiki-l(a)lists.wikimedia.org >>>>> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l >>>>> >>>> _______________________________________________ >>>> MediaWiki-l mailing list >>>> MediaWiki-l(a)lists.wikimedia.org >>>> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l >>>> >>> >>> >>> >>> >>> _______________________________________________ >>> MediaWiki-l mailing list >>> MediaWiki-l(a)lists.wikimedia.org >>> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l >>> >> _______________________________________________ >> MediaWiki-l mailing list >> MediaWiki-l(a)lists.wikimedia.org >> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l >> > > > > > _______________________________________________ > MediaWiki-l mailing list > MediaWiki-l(a)lists.wikimedia.org > http://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________ MediaWiki-l mailing list MediaWiki-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

6022

days inactive

6023

days old

mediawiki-l@lists.wikimedia.org

Manage subscription

13 comments

4 participants

tags (0)

participants (4)

Jack Eapen C
Marko Milisavljevic
Paul Coghlan
Platonides