PhpDig.net

Go Back   PhpDig.net > PhpDig Forums > Bug Tracker

Reply
 
Thread Tools
Old 10-03-2003, 08:18 AM   #1
Rolandks
Purple Mole
 
Rolandks's Avatar
 
Join Date: Sep 2003
Location: Kassel, Germany
Posts: 119
double quotes crash Phpdig

+ exact words
+ "reference documentation" in quotes

Search for test

mysql_num_rows(): supplied argument is not a valid MySQL result resource on libs/search_function.php in line 164

Possible solution:
In Line 53: quotes and other things which crashes a MySQL-Query must delete.

Last edited by Rolandks; 10-03-2003 at 08:24 AM.
Rolandks is offline   Reply With Quote
Old 10-04-2003, 01:29 PM   #2
Iltud
Green Mole
 
Join Date: Sep 2003
Location: Brest - France
Posts: 22
Question

Hi,

I'm not sure, but can this bug cause a critical SQL insertion with a "drop table" query ?

For example if the searched words are like this :

none';drop table keywords;select * from keywords where etc...


Nicolas.
Iltud is offline   Reply With Quote
Old 10-05-2003, 11:52 AM   #3
Charter
Head Mole
 
Charter's Avatar
 
Join Date: May 2003
Posts: 2,539
Hi. Please check and see if you can break it again. Thanks.
__________________
Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.
Charter is offline   Reply With Quote
Old 10-05-2003, 12:22 PM   #4
Iltud
Green Mole
 
Join Date: Sep 2003
Location: Brest - France
Posts: 22
Edit for Solution :

After chekcing, there is no possibilty to include SQL code. But there is effectivly a bug as Roland said.

All quotes are badly stripped.

At the begining "reference documentation" is transformed in \"reference documentation\".

At line #100 in search_function.php it's then transformed in \reference documentation\ (quotes disappear).

Then, each word, separated by a space, is used in a query. In Roland's case, this give two queries with :

.... AND k.keyword like '\reference%'
and
.... AND k.keyword like 'documentation\%'

Of course, this cause mySql to fail.


IMHO, a solution could be around lines 97-103.



Thanks,
Nicolas.

Last edited by Iltud; 10-05-2003 at 01:37 PM.
Iltud is offline   Reply With Quote
Old 10-05-2003, 02:20 PM   #5
Charter
Head Mole
 
Charter's Avatar
 
Join Date: May 2003
Posts: 2,539
Hi. In search_function.php find:
PHP Code:
$query_to_parse trim(ereg_replace(" +"," ",$query_to_parse)); // no more than 1 blank 
and before it add:
PHP Code:
if (eregi("[^[:alnum:]^ +]+",$query_to_parse)) { $query_to_parse eregi_replace("[^[:alnum:]^ ]+"," ",$query_to_parse); } 
Also, in search_function.php find:
PHP Code:
$kconds[$ncrit] .= " AND k.keyword ".$like_operator[$option]." '".$like_start[$option].$regs[2].$like_end[$option]."' "
and replace with:
PHP Code:
$kconds[$ncrit] .= " AND k.keyword ".$like_operator[$option]." '".$like_start[$option].stripslashes($regs[2]).$like_end[$option]."' "
Of course, remove any "word" wrapping in the above code.
__________________
Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.
Charter is offline   Reply With Quote
Old 10-15-2003, 06:52 AM   #6
manute
Orange Mole
 
manute's Avatar
 
Join Date: Oct 2003
Location: hamburg, germany
Posts: 52
hey, i just wanted to post that bug, but fortunately there's a solution already. great. thanks. :-)
manute is offline   Reply With Quote
Old 10-21-2003, 01:40 PM   #7
chazter
Green Mole
 
Join Date: Sep 2003
Posts: 8
Thanks for the solution with the double quotes. Much appreciated. It worked for me.
chazter is offline   Reply With Quote
Old 10-24-2003, 12:40 PM   #8
barrett_lyon
Green Mole
 
Join Date: Oct 2003
Location: Los Angeles
Posts: 1
mysql injection possibility

I have yet to test it, but I am pretty sure anyone can inject mysql queries into the search field. Sorry I have not researched the code on my own, I am hoping someone else has already done that effort.

Also, I have wrote some code that allows regex searches. Is there an easy way to submit a diff?
barrett_lyon is offline   Reply With Quote
Old 10-24-2003, 03:36 PM   #9
Charter
Head Mole
 
Charter's Avatar
 
Join Date: May 2003
Posts: 2,539
Hi. The code eregi_replace("[^[:alnum:]^ ]+"," ",$query_to_parse); takes everything that is not a number, letter, or space and replaces it with a space. This happens before $kconds[$ncrit] is formed, where $kconds[$ncrit] is used to make the mysql query from the search field. Please do examine the code. The more eyes, the better.

The regex code sounds cool. Please post it in the Mod Submissions forum.
__________________
Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.
Charter is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
URLs containing single quotes mmaattttt Troubleshooting 2 08-26-2004 09:03 PM
How can I restart spidering after crash? yapuka How-to Forum 12 05-19-2004 03:13 AM
speed of search and filter out double results marb How-to Forum 1 03-29-2004 11:38 AM
double install marb How-to Forum 1 03-10-2004 03:40 PM
search phrases in quotes? rediray How-to Forum 1 10-03-2003 06:39 PM


All times are GMT -8. The time now is 11:02 AM.


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.