Login  |  Register
HTML5 Icon HTML5 Icon HTML5 Icon
TP on Social Media

Recent

Welcome, Guest. Please login or register.
Did you miss your activation email?

July 13, 2020, 10:58:15 AM

Login with username, password and session length
Members
  • Total Members: 3786
  • Latest: Deaks
Stats
  • Total Posts: 190436
  • Total Topics: 20856
  • Online Today: 140
  • Online Ever: 917
  • (January 21, 2020, 09:02:26 AM)
Users Online
Users: 1
Guests: 58
Total: 59

Author Topic: \ in action causes database error  (Read 2828 times)

0 Members and 2 Guests are viewing this topic.

Offline Oldiesmann

  • Jr. Member
  • **
  • Posts: 37
    • Cincy Space
\ in action causes database error
« on: June 05, 2020, 09:59:32 PM »
Not sure this is worth fixing but I thought I'd report it anyway. Saw an error related to this in my forum's error log.


The query that handles finding blocks to show for a specific "action" doesn't escape the action, so a stray \ will cause an error.


Code: [Select]
Database Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '=allpages', access2))

AND (FIND_IN_SET(-1, access))
ORDER BY bar, pos,' at line 9




SELECT * FROM smf_tp_blocks
WHERE off = 0
AND bar != 4
AND (




FIND_IN_SET('actio=signup', access2) OR FIND_IN_SET('actio=signup\', access2) OR FIND_IN_SET('actio=allpages', access2))

AND (FIND_IN_SET(-1, access))
ORDER BY bar, pos, id ASC


This occurs at line 2223 of Sources/TPortal.php


Other than generating a bunch of errors (the DB error followed by 5 "Undefined index: tp_panels" and 5 "in_array() expects parameter 2 to be array, null given" errors), it doesn't cause any problems (SMF just shows a generic error message to the user if they're not an admin), and I can't think of any legitimate reason why you'd have a \ in the action anyway, but it might be a good idea to escape it just in case.

Offline tino

  • Developer
  • *
  • Posts: 1931
Re: \ in action causes database error
« Reply #1 on: June 13, 2020, 10:32:14 AM »
what version of TinyPortal are you using? I am struggling to recreate this atm.

I tried action=forum\f but it doesn't throw a error.

Offline Oldiesmann

  • Jr. Member
  • **
  • Posts: 37
    • Cincy Space
Re: \ in action causes database error
« Reply #2 on: June 13, 2020, 09:16:05 PM »
I believe it only occurs when the \ is the last character in the action string. In my case the action that triggered it is "signup\". I'm using TP 1.6.6.

Online lurkalot

  • Administrator
  • *
  • Posts: 6758
    • Camera Craniums
Re: \ in action causes database error
« Reply #3 on: June 14, 2020, 01:25:44 AM »
I believe it only occurs when the \ is the last character in the action string. In my case the action that triggered it is "signup\". I'm using TP 1.6.6.

Yep that triggers it for me too. I'm running TP 1.6.7


Offline tino

  • Developer
  • *
  • Posts: 1931
Re: \ in action causes database error
« Reply #4 on: June 14, 2020, 01:32:14 AM »
Thanks, I think it’s fixed in Version 2, I’ll move that fix to 1.6.x also.

Online lurkalot

  • Administrator
  • *
  • Posts: 6758
    • Camera Craniums
Re: \ in action causes database error
« Reply #5 on: June 14, 2020, 01:36:37 AM »
Thanks, I think it’s fixed in Version 2, I’ll move that fix to 1.6.x also.

Tino, thanks.  I noticed you get about a page full of errors in log in SMF 2.0 when you do this. In SMF 2.1 a different looking error on page when doing this, but about 50 errors in log. 

I'll go check TP 2.0.0

Online lurkalot

  • Administrator
  • *
  • Posts: 6758
    • Camera Craniums
Re: \ in action causes database error
« Reply #6 on: June 14, 2020, 01:38:44 AM »

Thanks, I think it’s fixed in Version 2


Yep I don't have this issue in TP 2.0.0  O0

Offline @rjen

  • Support Team
  • *
  • Posts: 2257
    • FJR-club Nederland
Re: \ in action causes database error
« Reply #7 on: June 14, 2020, 02:08:54 AM »
Unfortunately I do find a similar issue in 2.0.0 as well.

tried adding the backslash after a page number... like this
https://test.fjr-club.nl/index.php?cat=Nieuws\
On a test forum running SMF 2.0.17 and TP200.

bam:

Quote
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''tpcat=Nieuws\', access2))
AND 1=1
ORDER BY bar, pos, id ASC' at line 4
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/TPBlock.php
Regel: 163

doing the same in 167 with 2.0.17  does not give any errors, so this is a 2.0 issue
alone.
But it does not error on an SMF 2.1 test forum with TP 200
Running TP2.0.0 on SMF2.0 at: www.fjr-club.nl

Testing TP on SMF2.0
Testing TP on SMF2.1 (latest Github)
Want to check what php version I am testing on? See: PHP Info

Online lurkalot

  • Administrator
  • *
  • Posts: 6758
    • Camera Craniums
Re: \ in action causes database error
« Reply #8 on: June 14, 2020, 02:18:28 AM »
Yep.  You're right it does.  ;)

Quote
Database Error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''tpage=ebay-rss\', access2) OR FIND_IN_SET('', access2))
AND 1=1
ORDER BY' at line 4
File: /home/vol11_7/byethost7.com/b7_24299229/htdocs/testsite5/Sources/TPBlock.php
Line: 163

Online lurkalot

  • Administrator
  • *
  • Posts: 6758
    • Camera Craniums
Re: \ in action causes database error
« Reply #9 on: June 14, 2020, 02:27:05 AM »
Same thing happening in downloads as well in TP 1.6.7

action=tpmod;dl\
action=tpmod;dl=item14\

etc

I noticed in TP 2.0.0 though, action=tpmod;dl\ give a,

"An Error Has Occurred!
Unable to load the 'main' template."