TP-Docs
HTML5 Icon HTML5 Icon HTML5 Icon
TP on Social Media

Recent

Welcome to TinyPortal. Please login or sign up.

July 25, 2024, 07:44:06 PM

Login with username, password and session length
Members
Stats
  • Total Posts: 195,347
  • Total Topics: 21,237
  • Online today: 107
  • Online ever: 3,540 (September 03, 2022, 01:38:54 AM)
Users Online
  • Users: 0
  • Guests: 50
  • Total: 50

\ in action causes database error

Started by Oldiesmann, June 06, 2020, 04:59:32 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

tino

That doesn't surprise me. There is loads of unescaped data strings.

I'll see if I can parse it all at the start and clear them out in one place. Although than may cause other issues.

tino

I'm not sure what's the best way forward with this, it is in so many places and stripping them all out breaks other things in SMF. So it's either do it properly ( like it should of been in the first place ) or leave it as is. I can't seem to exploit it mind.

@rjen

It seems to have been like this for quite some time. TBH I would not bother fixing it in 1.6.x branch. In 2.0.0 it would be nice to fix this where possible, but I cannot fully appreciate the impact that will have on other things...
Running Latest TP on SMF2.1 at: www.fjr-club.nl

tino

Quote from: @rjen on June 14, 2020, 04:37:35 PM
It seems to have been like this for quite some time. TBH I would not bother fixing it in 1.6.x branch. In 2.0.0 it would be nice to fix this where possible, but I cannot fully appreciate the impact that will have on other things...

It's pretty much everywhere a _GET or _POST request is used and not escaped properly. Which looking at it is most of the code. When the built in SMF string checks are used it's ok, it's not when the string is manually constructed, so the $access with FIND_IN_SET is a good example. I don't like that anyway, just couldn't find an easy alternative at the time.

Oldiesmann

I need to play with TP 2.0 at some point... Maybe that would be a good thing to use my newly-purchased ".rocks" domain for :P

@rjen

Quote from: Oldiesmann on June 16, 2020, 03:18:57 AM
I need to play with TP 2.0 at some point... Maybe that would be a good thing to use my newly-purchased ".rocks" domain for :P

TP 2.0.0 is pretty much ready, we could really use someone else's input on it before it can be released, so yes please!
Running Latest TP on SMF2.1 at: www.fjr-club.nl

tino

Quote from: @rjen on June 14, 2020, 09:08:54 AM
Unfortunately I do find a similar issue in 2.0.0 as well.

tried adding the backslash after a page number... like this
https://test.fjr-club.nl/index.php?cat=Nieuws\
On a test forum running SMF 2.0.17 and TP200.

bam:

Quote
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''tpcat=Nieuws\', access2))
AND 1=1
ORDER BY bar, pos, id ASC' at line 4
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/TPBlock.php
Regel: 163

doing the same in 167 with 2.0.17  does not give any errors, so this is a 2.0 issue
alone.
But it does not error on an SMF 2.1 test forum with TP 200

Fixed this one in my last commit and removed some duplicate code whilst I was at it.

@rjen

Running Latest TP on SMF2.1 at: www.fjr-club.nl

Oldiesmann

Quote from: @rjen on June 16, 2020, 06:56:32 AM
Quote from: Oldiesmann on June 16, 2020, 03:18:57 AM
I need to play with TP 2.0 at some point... Maybe that would be a good thing to use my newly-purchased ".rocks" domain for :P

TP 2.0.0 is pretty much ready, we could really use someone else's input on it before it can be released, so yes please!

Just installed it at www.oldiesmann.rocks. Will play around with it some and let you know what I think.

I can also test it with PostgreSQL as well if you'd like.

tino

Most of my development is done in PostgreSQL, about 90% of it as I prefer it to MySQL, but another person testing it would be good. Especially as I've only really used 9.4 or above.