[pLog-svn] r3522 - plog/branches/lifetype-1.0.5/class/action

Jon Daley plogworld at jon.limedaley.com
Sat Jun 3 23:25:37 GMT 2006 

 	I still can't see the problem, even if I revert back to before 
your changes.  I just get "article cannot be found".  This is with search 
engine friendly urls, if that makes any difference.
 	In my 1.0.4 blog, I got a <!-- printed on the screen, and that was 
it.  But, in any case, I am not seeing the password printed, and I am not 
getting any errors with your new code.

  On Sat, 3 Jun 2006, Jon Daley wrote:

> I updated a blog to 1.0.5.  I see this in the referrer logging:
>                 152969 Query       INSERT INTO plog_statistics (`blog_id`, 
> `article_id`, `time`, `ip`,  `refer`, `agent`) VAL
> UES ('1', 
> '9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/*', 
> '20060603191915', '', '', '
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 
> Firefox/1.5.0.3 WebWasher 3.4')
>
> I suppose this is okay, since it is quoted, and presumably any quoted string 
> will be escaped properly, but it would be nicer to have it just fail, and not 
> enter anything.  Is the plog_statistics table a plugin, or is that part of 
> the core?
>
> On Sun, 4 Jun 2006, Oscar Renalias wrote:
>
>> I think this should fix them all, at least on the public side of the blog.
>> 
>> We should also audit the code in 1.1.
>> 
>> On 4 Jun 2006, at 01:28, oscar at devel.lifetype.net wrote:
>> 
>>> Author: oscar
>>> Date: 2006-06-03 22:28:33 +0000 (Sat, 03 Jun 2006)
>>> New Revision: 3522
>>> 
>>> Modified:
>>>   plog/branches/lifetype-1.0.5/class/action/commentaction.class.php
>>>   plog/branches/lifetype-1.0.5/class/action/defaultaction.class.php
>>>   plog/branches/lifetype-1.0.5/class/action/resourceserveraction.class.php
>>>   plog/branches/lifetype-1.0.5/class/action/rssaction.class.php
>>>   plog/branches/lifetype-1.0.5/class/action/viewalbumaction.class.php
>>>   plog/branches/lifetype-1.0.5/class/action/viewarticleaction.class.php
>>>   plog/branches/lifetype-1.0.5/class/action/viewarticletrackbacksaction.class.php
>>>   plog/branches/lifetype-1.0.5/class/action/viewresourceaction.class.php
>>> Log:
>>> added some validation to all action classes, looks like we had forgotten 
>>> it
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> **************************************
> Jon Daley
> http://jon.limedaley.com/
>
> Eat drink and be merry, for tomorrow they may make it illegal.
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>

**************************************
Jon Daley
http://jon.limedaley.com/

Faith is a simple trust in a personal redeemer.
The simpler our trust in Christ for all things, the surer our peace.
-- William Adams

More information about the pLog-svn mailing list