Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 12:37 pm EDT

Geeklog Forums

why aren't single quotes escaped from the search form?


Status: offline

wfzimmerman

Forum User
Chatty
Registered: 10/24/03
Posts: 50
I am getting error log messages whenever a user submits a search containing a single quote character to the search form. Why aren't these escaped in 1.3.9? Can I hack around this?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
They are escaped, though maybe not in all of the plugins. Try to find out what actually causes the SQL error (e.g. by pasting the SQL error here ...).

bye, Dirk
 Quote

Status: offline

wfzimmerman

Forum User
Chatty
Registered: 10/24/03
Posts: 50
here is the error message. It appears to have something to do with static pages.

Fri Apr 2 12:00:57 2004 - 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's Dracula%' OR sp_content like 'Bram Stoker's Dracula%' OR sp_c. SQL in question: SELECT *,UNIX_TIMESTAMP(sp_date) as day FROM gl_staticpage WHERE (sp_php != '1' AND((sp_content like '%Bram Stoker's Dracula%' OR sp_content like 'Bram Stoker's Dracula%' OR sp_content like '%Bram Stoker's Dracula') OR (sp_title like '%Bram Stoker's Dracula%' OR sp_title like 'Bram Stoker's Dracula%' OR sp_title like '%Bram Stoker's Dracula'))) ORDER BY sp_date desc
Fri Apr 2 12:43:10 2004 - 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's The Publisher%' OR sp_content like 'Micheael H Thomson's The . SQL in question: SELECT *,UNIX_TIMESTAMP(sp_date) as day FROM gl_staticpage WHERE (sp_php != '1' AND((sp_content like '%Micheael H Thomson's The Publisher%' OR sp_content like 'Micheael H Thomson's The Publisher%' OR sp_content like '%Micheael H Thomson's The Publisher') OR (sp_title like '%Micheael H Thomson's The Publisher%' OR sp_title like 'Micheael H Thomson's The Publisher%' OR sp_title like '%Micheael H Thomson's The Publisher'))) ORDER BY sp_date desc
 Quote

All times are EDT. The time is now 12:37 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content