Paul,
\' are result of addQuote - it will convert a string like D'Arcy into
'D\'Arcy', so it can be used as a literal in SQL statements, as in where
name = 'D\'Arcy'. It protects against sql injection attacks - if you were to
enter, say, "hello'; drop table users; select 'x" , as search term it
makes
a big difference if the resulting query is .... where name = 'hello'; drop
table users; select 'x' or ... where name = 'hello\'; drop table users;
select \'x' - one drops table "users", the other one doesn't, even
though
both are technically correct and will execute.
I assume King's is not getting the \ before '? I can't tell unless I see the
whole SQL statement. You can sanitize it as needed to protect sensitive
information, but since the database layout is public, and queries are
plainly written in source code of this extension, posting the whole query
shouldn't be a security concern.
Marko
On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:
Marko
Here you go. It is identical the one I had before. TO be clear, I
downloaded
V1.3 of the extension and the only change I made was half way down the
page
as per your replacement.
Here is the error...
Database error
A database query syntax error has occurred. This may indicate a bug in the
software. The last attempted database query was:
(SQL query hidden)
from within function "". MySQL returned error "1064: You have an error in
your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near 's_Army_(British_Army)',
'D\'Aguilar,_Queensland', 'D\'Arcy,_British_Columbia' at line 1
(localhost)".
It basically froze at the ' in King's although the D\' in the following
entries looks a little odd. I don't remember seeing those before?
The 'D\'Aguilar,_Queensland' you see here is a page called D'Aguilar,
Queensland.
Thanks for any help you can provide.
Paul
// Add all current pages, so we do not delete their logging
information
$sql = "SELECT page_title FROM $tbl_pag WHERE page_title like
'$pagename'";
if ( $namespace != -100 ) $sql .= " AND page_namespace =
'$namespace'";
$res = $dbw->query( $sql );
while( $row = $dbw->fetchObject( $res ) ) {
$arc[] = $dbw->addQuotes($row->page_title);
On 10/23/07 11:08 PM, "Marko Milisavljevic" <marko(a)cognistudio.com>
wrote:
What does it say? Is it kicking out a bad SQL
statement? Can you post it
here?
On 10/23/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:
>
> Marko
>
> Sorry to say it but I changed the text as per your email but still get
the
> same database error??
>
> Paul
>
>
> On 10/23/07 6:52 PM, "Marko Milisavljevic" <marko(a)cognistudio.com>
wrote:
No kidding! I don't have time unfortunately
to play with it too much,
but I
ldRevisions#A_few_s
erious_errors_and_security_concerns
On 10/23/07, Platonides <Platonides(a)gmail.com> wrote:
>
> Marko Milisavljevic wrote:
>> Try replacing:
>>
>> $arc[] = "'" . $row->page_title . "'";
>>
>> with:
>>
>> $arc[] = $dbw->addQuotes($row->page_title);
>
>
> Creating a two revision page about ';DROP TABLE user; --
>
http://xkcd.com/327/ ;)
>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l(a)lists.wikimedia.org
>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l