TP-Docs
HTML5 Icon HTML5 Icon HTML5 Icon
TP on Social Media

Recent

User

Welcome to TinyPortal. Please login or sign up.

April 28, 2024, 04:59:55 AM

Login with username, password and session length

Stats

Members
  • Total Members: 3,885
  • Latest: Growner
Stats
  • Total Posts: 195,173
  • Total Topics: 21,219
  • Online today: 98
  • Online ever: 3,540 (September 03, 2022, 01:38:54 AM)
Users Online
  • Users: 0
  • Guests: 86
  • Total: 86

Possible escape issue in searches

Started by MrMike, October 10, 2023, 09:06:21 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1 2 All
User actions

MrMike

October 10, 2023, 09:06:21 PM
When searching for a term with a single quote ('), TinyPortal returns this error:

Code Select
Database Error
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's and') AS score
FROM smf_tp_articles AS a
LEFT JOIN smf_me...' at line 1
File: /var/www/XXXXX/XXXXXX/web16/web/forum/Sources/TPSearch.php
Line: 201

tino

#1
October 22, 2023, 07:38:36 PM
$what needs to be escaped, I think we can do it with db_quote, I'll look at it when I get the chance.

@rjen

#2
October 22, 2023, 07:54:21 PM
That would be nice, was not sure how to tackle this
Running Latest TP on SMF2.1 at: www.fjr-club.nl

tino

#3
October 22, 2023, 08:22:12 PM
Code Select
$what = $smcFunc['db_quote'](
'{string:what}',
array(
'what' => $what
)
);


Should do it... can't test it as that's from my phone but I think it's right, might need the global also

@rjen

#4
October 22, 2023, 09:47:19 PM
We now have this, this this needs to be replaced?

Code Select
        // clean the search
        $what = TPUtil::filter('tpsearch_what', 'post', 'string');
Running Latest TP on SMF2.1 at: www.fjr-club.nl

tino

#5
October 23, 2023, 07:20:27 AM
Quote from: @rjen on October 22, 2023, 09:47:19 PMWe now have this, this this needs to be replaced?

Code Select
        // clean the search
        $what = TPUtil::filter('tpsearch_what', 'post', 'string');

Just after that line, as we need to sanitise it first then escape it.

@rjen

#6
October 23, 2023, 06:24:58 PM
Nope..

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\'fjr\''%' OR a.body LIKE '%'\'fjr\''%'
AND ((a.pub_start = 0 AND a....' at line 4
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/TPSearch.php
Regel: 205


Quoteelse {
        checkSession('post');
        // clean the search
        $what = TPUtil::filter('tpsearch_what', 'post', 'string');
      $what = $smcFunc['db_quote'](
      '{string:what}',
      array('what' => $what)
      );
        if(!empty($_POST['tpsearch_title'])) {
            $usetitle = true;
        }
        if(!empty($_POST['tpsearch_body'])) {
            $usebody = true;
        }
    }
Running Latest TP on SMF2.1 at: www.fjr-club.nl

@rjen

#8
October 23, 2023, 07:29:23 PM
same issue

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'fjr'%' OR a.body LIKE '%'fjr'%'
AND ((a.pub_start = 0 AND a.pub_end ...' at line 4
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/TPSearch.php
Regel: 205
Running Latest TP on SMF2.1 at: www.fjr-club.nl

tino

#9
October 23, 2023, 07:31:53 PM
Then it's not being escaped...

 :hmm:
Print
Go Up Pages1 2 All
User actions