Roster not escaping ' or / in sql?

CharacterProfiler.lua file uploading issues

Roster not escaping ' or / in sql?

Postby myte » Thu Feb 12, 2009 3:32 am

Adding a note to one of our players led to this database error when updates were done:

Code: Select all
1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's g/f'' at line 1
SQL:
SELECT `members`.`member_id`, `members`.`name` FROM `roster_members` as `members` WHERE `members`.`name`='M's g/f'
File: lib/dbal/mysql.php
Line: 234


It looks to me like either the ' or the / was not escaped in the sql string. my money is on the '

Edit: I am still using Roster version 2.0.1

Thanks
Last edited by myte on Thu Feb 12, 2009 3:34 am, edited 1 time in total.
myte
WR.net Apprentice
WR.net Apprentice
 
Posts: 3
Joined: Fri Dec 05, 2008 11:30 am
Location: Chicago, IL

Roster not escaping ' or / in sql?

Postby zanix » Thu Feb 12, 2009 10:10 am

This looks like it's from memberslist
Look in addons/memberslist/inc/update_hook.php
Starting on line 251
Code: Select all
         $query =
            "SELECT `members`.`member_id`, `members`.`name`".
            " FROM `".$roster->db->table('members')."` as `members`".
            " WHERE `members`.`name`='" . addslashes($main_name) . "'";


Try replacing addslashes with $roster->db->escape
Read the Forum Rules, the WiKi, and Search before posting!
WoWRoster v2.1 - SigGen v0.3.3.523 - WoWRosterDF
User avatar
zanix
Admin
Admin
WoWRoster.net Dev Team
WoWRoster.net Dev Team
UA/UU Developer
UA/UU Developer
 
Posts: 5543
Joined: Mon Jul 03, 2006 8:29 am
Location: Idaho Falls, Idaho
Realm: Doomhammer (PvE) - US


Return to Uploading

Who is online

Users browsing this forum: No registered users and 0 guests

cron