[pLog-svn] r3522 - plog/branches/lifetype-1.0.5/class/action
Jon Daley
plogworld at jon.limedaley.com
Sat Jun 3 23:25:37 GMT 2006
I still can't see the problem, even if I revert back to before
your changes. I just get "article cannot be found". This is with search
engine friendly urls, if that makes any difference.
In my 1.0.4 blog, I got a <!-- printed on the screen, and that was
it. But, in any case, I am not seeing the password printed, and I am not
getting any errors with your new code.
On Sat, 3 Jun 2006, Jon Daley wrote:
> I updated a blog to 1.0.5. I see this in the referrer logging:
> 152969 Query INSERT INTO plog_statistics (`blog_id`,
> `article_id`, `time`, `ip`, `refer`, `agent`) VAL
> UES ('1',
> '9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/*',
> '20060603191915', '', '', '
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426
> Firefox/1.5.0.3 WebWasher 3.4')
>
> I suppose this is okay, since it is quoted, and presumably any quoted string
> will be escaped properly, but it would be nicer to have it just fail, and not
> enter anything. Is the plog_statistics table a plugin, or is that part of
> the core?
>
> On Sun, 4 Jun 2006, Oscar Renalias wrote:
>
>> I think this should fix them all, at least on the public side of the blog.
>>
>> We should also audit the code in 1.1.
>>
>> On 4 Jun 2006, at 01:28, oscar at devel.lifetype.net wrote:
>>
>>> Author: oscar
>>> Date: 2006-06-03 22:28:33 +0000 (Sat, 03 Jun 2006)
>>> New Revision: 3522
>>>
>>> Modified:
>>> plog/branches/lifetype-1.0.5/class/action/commentaction.class.php
>>> plog/branches/lifetype-1.0.5/class/action/defaultaction.class.php
>>> plog/branches/lifetype-1.0.5/class/action/resourceserveraction.class.php
>>> plog/branches/lifetype-1.0.5/class/action/rssaction.class.php
>>> plog/branches/lifetype-1.0.5/class/action/viewalbumaction.class.php
>>> plog/branches/lifetype-1.0.5/class/action/viewarticleaction.class.php
>>> plog/branches/lifetype-1.0.5/class/action/viewarticletrackbacksaction.class.php
>>> plog/branches/lifetype-1.0.5/class/action/viewresourceaction.class.php
>>> Log:
>>> added some validation to all action classes, looks like we had forgotten
>>> it
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> **************************************
> Jon Daley
> http://jon.limedaley.com/
>
> Eat drink and be merry, for tomorrow they may make it illegal.
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
**************************************
Jon Daley
http://jon.limedaley.com/
Faith is a simple trust in a personal redeemer.
The simpler our trust in Christ for all things, the surer our peace.
-- William Adams
More information about the pLog-svn
mailing list