Not escaping single quotes
hal9000_jr - March 20, 2007 - 18:20
| Project: | Troll |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Description
Hi folks, I don't know if this is a problem with the Troll module or Drupal at large, but I installed Troll and I was trying it out. I entered two values in the search string like 'foo' and 'bar' and I received the following in the logs:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'princi' 'traveler'%' AND u.uid != 0' at line 1 query: SELECT COUNT(*) FROM users u LEFT JOIN troll_ip_track t ON u.uid = t.uid WHERE u.uid != 0 AND LOWER(u.name) LIKE '%'princi' 'traveler'%' AND u.uid != 0 in /home/dir/public_html/includes/database.mysql.inc on line 121.
looks like a SQL injection is possible. I haven't checked.
Thanks.
#1
I've cut a patch that allows Drupal to take care of preventing SQL injection.
Also included in this patch are:
- few SQL changes for PostgreSQL compatibility.
- fixes in http://drupal.org/node/184779 (with slight changes)
- small fix to the $form['details'] fieldset title in troll_search_user_detail()
#2
#3
Automatically closed -- issue fixed for two weeks with no activity.