Ah, I thought you were hiding SQL queries, didn't realize this was your
actual output. On my MediaWiki installation, I get full SQL queries dumped
out - forget how I turned that on.
Alas, there are few more changes to be made to the code... there are around
8 places where SQL queries are being formed like ... " something =
'$pagename' " - this then becomes " something = 'D'Arcy'
" - that's no good.
We want to change it to " something = ".$dbw->addQuotes($pagename), which
gives us " something = 'D\'Arcy' ". Just do a search and replace
as
follows:
'$pagename'" (replace with) ".$dbw->addQuotes($pagename)
'$pagename' (replace with) ".$dbw->addQuotes($pagename)."
Do it exactly as typed, including quotes. If you search for '$pagename'
after this, including single quotes, you shouldn't find any.
On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:
Marko
I have absolutely no problem posting the query but I don't get to see it.
If
there is a way to do so I am more than happy to provide it. I am entering
K%
in the page name text box in Special:DeleteOldRevisions and getting the
error below:
Database error
A database query syntax error has occurred. This may indicate a bug in the
software. The last attempted database query was:
(SQL query hidden)
from within function "". MySQL returned error "1064: You have an error in
your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near
's_Own_Royal_Border_Regiment_(British_Army)',
'King's_Own_Scottish_Borderers_(Bri' at line 1 (localhost)".
Interestingly the ' is not being replaced with the /'
When I run it for D% I get:
Database error
A database query syntax error has occurred. This may indicate a bug in the
software. The last attempted database query was:
(SQL query hidden)
from within function "". MySQL returned error "1064: You have an error in
your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near 's_Regiment_(British_Army)',
'D\'Aguilar,_Queensland', 'D\'Arcy,_British_Columbia' at line 1
(localhost)".
So, in the instance of the K replacement none of the ' symbols are being
replaced and in the D example one of them is not.
I am mystified as to why one ' would be replaced and not another????
Paul
On 10/24/07 4:35 PM, "Marko Milisavljevic" <marko(a)cognistudio.com>
wrote:
Paul,
\' are result of addQuote - it will convert a string like D'Arcy into
'D\'Arcy', so it can be used as a literal in SQL statements, as in where
name = 'D\'Arcy'. It protects against sql injection attacks - if you
were to
enter, say, "hello'; drop table users;
select 'x" , as search term it
makes
a big difference if the resulting query is ....
where name = 'hello';
drop
table users; select 'x' or ... where name
= 'hello\'; drop table users;
select \'x' - one drops table "users", the other one doesn't, even
though
both are technically correct and will execute.
I assume King's is not getting the \ before '? I can't tell unless I see
the
whole SQL statement. You can sanitize it as
needed to protect sensitive
information, but since the database layout is public, and queries are
plainly written in source code of this extension, posting the whole
query
shouldn't be a security concern.
Marko
On 10/24/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:
>
> Marko
>
> Here you go. It is identical the one I had before. TO be clear, I
> downloaded
> V1.3 of the extension and the only change I made was half way down the
> page
> as per your replacement.
>
> Here is the error...
>
> Database error
> A database query syntax error has occurred. This may indicate a bug in
the
> software. The last attempted database query
was:
>
> (SQL query hidden)
>
> from within function "". MySQL returned error "1064: You have an error
in
> your SQL syntax; check the manual that
corresponds to your MySQL server
> version for the right syntax to use near 's_Army_(British_Army)',
> 'D\'Aguilar,_Queensland', 'D\'Arcy,_British_Columbia' at line
1
> (localhost)".
>
> It basically froze at the ' in King's although the D\' in the following
> entries looks a little odd. I don't remember seeing those before?
>
> The 'D\'Aguilar,_Queensland' you see here is a page called
D'Aguilar,
> Queensland.
>
> Thanks for any help you can provide.
>
> Paul
>
>
>
> // Add all current pages, so we do not delete their logging
> information
>
> $sql = "SELECT page_title FROM $tbl_pag WHERE page_title
like
> '$pagename'";
>
> if ( $namespace != -100 ) $sql .= " AND page_namespace =
> '$namespace'";
>
> $res = $dbw->query( $sql );
>
> while( $row = $dbw->fetchObject( $res ) ) {
>
> $arc[] = $dbw->addQuotes($row->page_title);
>
>
>
>
>
>
>
> On 10/23/07 11:08 PM, "Marko Milisavljevic" <marko(a)cognistudio.com>
wrote:
>
>> What does it say? Is it kicking out a bad SQL statement? Can you post
it
>> here?
>>
>> On 10/23/07, Paul Coghlan <pcoghlan(a)usa.net> wrote:
>>>
>>> Marko
>>>
>>> Sorry to say it but I changed the text as per your email but still
get
> the
>>> same database error??
>>>
>>> Paul
>>>
>>>
>>> On 10/23/07 6:52 PM, "Marko Milisavljevic"
<marko(a)cognistudio.com>
> wrote:
>>>
>>>> No kidding! I don't have time unfortunately to play with it too
much,
> but I
>> added some pointers to the talk page:
>>
>>
http://www.mediawiki.org/wiki/Extension_talk:SpecialDeleteO
> ldRevisions#A_few_s
>> erious_errors_and_security_concerns
>>
>>
>> On 10/23/07, Platonides <Platonides(a)gmail.com> wrote:
>>>
>>> Marko Milisavljevic wrote:
>>>> Try replacing:
>>>>
>>>> $arc[] = "'" . $row->page_title . "'";
>>>>
>>>> with:
>>>>
>>>> $arc[] = $dbw->addQuotes($row->page_title);
>>>
>>>
>>> Creating a two revision page about ';DROP TABLE user; --
>>>
http://xkcd.com/327/ ;)
>>>
>>>
>>> _______________________________________________
>>> MediaWiki-l mailing list
>>> MediaWiki-l(a)lists.wikimedia.org
>>>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> MediaWiki-l(a)lists.wikimedia.org
>>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
>
>
>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l(a)lists.wikimedia.org
>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l