Welcome to Geeklog Tuesday, August 20 2019 @ 11:55 am EDT

Geeklog Forums

why aren't single quotes escaped from the search form?


Status: offline

wfzimmerman

Forum User
Chatty
Registered: 24/10/03
Posts: 50
I am getting error log messages whenever a user submits a search containing a single quote character to the search form. Why aren't these escaped in 1.3.9? Can I hack around this?

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
They are escaped, though maybe not in all of the plugins. Try to find out what actually causes the SQL error (e.g. by pasting the SQL error here ...).

bye, Dirk

Status: offline

wfzimmerman

Forum User
Chatty
Registered: 24/10/03
Posts: 50
here is the error message. It appears to have something to do with static pages.

Fri Apr 2 12:00:57 2004 - 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's Dracula%' OR sp_content like 'Bram Stoker's Dracula%' OR sp_c. SQL in question: SELECT *,UNIX_TIMESTAMP(sp_date) as day FROM gl_staticpage WHERE (sp_php != '1' AND((sp_content like '%Bram Stoker's Dracula%' OR sp_content like 'Bram Stoker's Dracula%' OR sp_content like '%Bram Stoker's Dracula') OR (sp_title like '%Bram Stoker's Dracula%' OR sp_title like 'Bram Stoker's Dracula%' OR sp_title like '%Bram Stoker's Dracula'))) ORDER BY sp_date desc
Fri Apr 2 12:43:10 2004 - 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's The Publisher%' OR sp_content like 'Micheael H Thomson's The . SQL in question: SELECT *,UNIX_TIMESTAMP(sp_date) as day FROM gl_staticpage WHERE (sp_php != '1' AND((sp_content like '%Micheael H Thomson's The Publisher%' OR sp_content like 'Micheael H Thomson's The Publisher%' OR sp_content like '%Micheael H Thomson's The Publisher') OR (sp_title like '%Micheael H Thomson's The Publisher%' OR sp_title like 'Micheael H Thomson's The Publisher%' OR sp_title like '%Micheael H Thomson's The Publisher'))) ORDER BY sp_date desc

All times are EDT. The time is now 11:55 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content