No problem. By the way, you can show SQL in error mesages by adding this to
your LocalSettings.php:
$wgShowSQLErrors = true;
On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:
Marko
Replaced those string and can confirm I have no occurrences of
'$pagename'.
I still saw the issue so had a play to try to get more information.
By de-selecting the "Delete Archived Articles too" checkbox everything
runs
OK. So, I have managed to delete all old versions except those manually
deleted but still present in text/revision and even then only for the D%
K%
P% and Q% strings. No idea why this wont work but with 95% of my pages
removed I am happy enough for now. If this prompts a new thought shout and
I
will try to get rid of the final 1700 pages.
I do appreciate the time you took to provide the info, many many thanks!
Paul
On 10/24/07 5:05 PM, "Marko Milisavljevic" <marko(a)cognistudio.com>
wrote:
Ah, I thought you were hiding SQL queries,
didn't realize this was your
actual output. On my MediaWiki installation, I get full SQL queries
dumped
out - forget how I turned that on.
Alas, there are few more changes to be made to the code... there are
around
8 places where SQL queries are being formed like
... " something =
'$pagename' " - this then becomes " something = 'D'Arcy'
" - that's no
good.
We want to change it to " something =
".$dbw->addQuotes($pagename),
which
gives us " something = 'D\'Arcy'
". Just do a search and replace as
follows:
'$pagename'" (replace with) ".$dbw->addQuotes($pagename)
'$pagename' (replace with) ".$dbw->addQuotes($pagename)."
Do it exactly as typed, including quotes. If you search for '$pagename'
after this, including single quotes, you shouldn't find any.
On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:
>
> Marko
>
> I have absolutely no problem posting the query but I don't get to see
it.
> If
> there is a way to do so I am more than happy to provide it. I am
entering
> K%
> in the page name text box in Special:DeleteOldRevisions and getting the
> error below:
>
> Database error
> A database query syntax error has occurred. This may indicate a bug in
the
> software. The last attempted database query
was:
>
> (SQL query hidden)
>
> from within function "". MySQL returned error "1064: You have an error
in
> your SQL syntax; check the manual that
corresponds to your MySQL server
> version for the right syntax to use near
> 's_Own_Royal_Border_Regiment_(British_Army)',
> 'King's_Own_Scottish_Borderers_(Bri' at line 1 (localhost)".
>
> Interestingly the ' is not being replaced with the /'
>
> When I run it for D% I get:
>
> Database error
> A database query syntax error has occurred. This may indicate a bug in
the
> software. The last attempted database query
was:
>
> (SQL query hidden)
>
> from within function "". MySQL returned error "1064: You have an error
in
> your SQL syntax; check the manual that
corresponds to your MySQL server
> version for the right syntax to use near 's_Regiment_(British_Army)',
> 'D\'Aguilar,_Queensland', 'D\'Arcy,_British_Columbia' at line
1
> (localhost)".
>
> So, in the instance of the K replacement none of the ' symbols are
being
> replaced and in the D example one of them is
not.
>
> I am mystified as to why one ' would be replaced and not another????
>
> Paul
>
> On 10/24/07 4:35 PM, "Marko Milisavljevic" <marko(a)cognistudio.com>
wrote:
>
>> Paul,
>>
>> \' are result of addQuote - it will convert a string like D'Arcy into
>> 'D\'Arcy', so it can be used as a literal in SQL statements, as in
where
>> name = 'D\'Arcy'. It protects
against sql injection attacks - if you
> were to
>> enter, say, "hello'; drop table users; select 'x" , as search
term it
> makes
>> a big difference if the resulting query is .... where name = 'hello';
> drop
>> table users; select 'x' or ... where name = 'hello\'; drop table
users;
>> select \'x' - one drops table
"users", the other one doesn't, even
> though
>> both are technically correct and will execute.
>>
>> I assume King's is not getting the \ before '? I can't tell unless I
see
> the
>> whole SQL statement. You can sanitize it as needed to protect
sensitive
>> information, but since the database
layout is public, and queries are
>> plainly written in source code of this extension, posting the whole
> query
>> shouldn't be a security concern.
>>
>> Marko
>>
>> On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:
>>>
>>> Marko
>>>
>>> Here you go. It is identical the one I had before. TO be clear, I
>>> downloaded
>>> V1.3 of the extension and the only change I made was half way down
the
>>> page
>>> as per your replacement.
>>>
>>> Here is the error...
>>>
>>> Database error
>>> A database query syntax error has occurred. This may indicate a bug
in
> the
>>> software. The last attempted database query was:
>>>
>>> (SQL query hidden)
>>>
>>> from within function "". MySQL returned error "1064: You have
an
error
> in
>>> your SQL syntax; check the manual that corresponds to your MySQL
server
>>> version for the right syntax to use
near 's_Army_(British_Army)',
>>> 'D\'Aguilar,_Queensland', 'D\'Arcy,_British_Columbia'
at line 1
>>> (localhost)".
>>>
>>> It basically froze at the ' in King's although the D\' in the
following
>>> entries looks a little odd. I
don't remember seeing those before?
>>>
>>> The 'D\'Aguilar,_Queensland' you see here is a page called
D'Aguilar,
>>> Queensland.
>>>
>>> Thanks for any help you can provide.
>>>
>>> Paul
>>>
>>>
>>>
>>> // Add all current pages, so we do not delete their
logging
>>> information
>>>
>>> $sql = "SELECT page_title FROM $tbl_pag WHERE page_title
> like
>>> '$pagename'";
>>>
>>> if ( $namespace != -100 ) $sql .= " AND page_namespace =
>>> '$namespace'";
>>>
>>> $res = $dbw->query( $sql );
>>>
>>> while( $row = $dbw->fetchObject( $res ) ) {
>>>
>>> $arc[] = $dbw->addQuotes($row->page_title);
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 10/23/07 11:08 PM, "Marko Milisavljevic"
<marko(a)cognistudio.com>
> wrote:
>>>
>>>> What does it say? Is it kicking out a bad SQL statement? Can you
post
it
>> here?
>>
>> On 10/23/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:
>>>
>>> Marko
>>>
>>> Sorry to say it but I changed the text as per your email but still
get
> the
>>> same database error??
>>>
>>> Paul
>>>
>>>
>>> On 10/23/07 6:52 PM, "Marko Milisavljevic"
<marko(a)cognistudio.com>
> wrote:
>>>
>>>> No kidding! I don't have time unfortunately to play with it too
much,
>>> but I
>>>> added some pointers to the talk page:
>>>>
>>>>
http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteO
>>> ldRevisions#A_few_s
>>>> erious_errors_and_security_concerns
>>>>
>>>>
>>>> On 10/23/07, Platonides <Platonides(a)gmail.com> wrote:
>>>>>
>>>>> Marko Milisavljevic wrote:
>>>>>> Try replacing:
>>>>>>
>>>>>> $arc[] = "'" . $row->page_title .
"'";
>>>>>>
>>>>>> with:
>>>>>>
>>>>>> $arc[] = $dbw->addQuotes($row->page_title);
>>>>>
>>>>>
>>>>> Creating a two revision page about ';DROP TABLE user; --
>>>>>
http://xkcd.com/327/ ;)
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> MediaWiki-l mailing list
>>>>> MediaWiki-l(a)lists.wikimedia.org
>>>>>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>>>>
>>>> _______________________________________________
>>>> MediaWiki-l mailing list
>>>> MediaWiki-l(a)lists.wikimedia.org
>>>>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> MediaWiki-l mailing list
>>> MediaWiki-l(a)lists.wikimedia.org
>>>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> MediaWiki-l(a)lists.wikimedia.org
>>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
>
>
>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l(a)lists.wikimedia.org
>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l