[pLog-svn] r3522 - plog/branches/lifetype-1.0.5/class/action
Jon Daley
plogworld at jon.limedaley.com
Sat Jun 3 23:28:03 GMT 2006
Ah, now I got it. Not sure why I didn't see it before, maybe a
caching issue or something.
On Sat, 3 Jun 2006, Jon Daley wrote:
> I still can't see the problem, even if I revert back to before your
> changes. I just get "article cannot be found". This is with search engine
> friendly urls, if that makes any difference.
> In my 1.0.4 blog, I got a <!-- printed on the screen, and that was
> it. But, in any case, I am not seeing the password printed, and I am not
> getting any errors with your new code.
>
> On Sat, 3 Jun 2006, Jon Daley wrote:
>
>> I updated a blog to 1.0.5. I see this in the referrer logging:
>> 152969 Query INSERT INTO plog_statistics (`blog_id`,
>> `article_id`, `time`, `ip`, `refer`, `agent`) VAL
>> UES ('1',
>> '9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/*',
>> '20060603191915', '', '', '
>> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426
>> Firefox/1.5.0.3 WebWasher 3.4')
>>
>> I suppose this is okay, since it is quoted, and presumably any quoted
>> string will be escaped properly, but it would be nicer to have it just
>> fail, and not enter anything. Is the plog_statistics table a plugin, or is
>> that part of the core?
>>
>> On Sun, 4 Jun 2006, Oscar Renalias wrote:
>>
>>> I think this should fix them all, at least on the public side of the blog.
>>>
>>> We should also audit the code in 1.1.
>>>
>>> On 4 Jun 2006, at 01:28, oscar at devel.lifetype.net wrote:
>>>
>>>> Author: oscar
>>>> Date: 2006-06-03 22:28:33 +0000 (Sat, 03 Jun 2006)
>>>> New Revision: 3522
>>>>
>>>> Modified:
>>>> plog/branches/lifetype-1.0.5/class/action/commentaction.class.php
>>>> plog/branches/lifetype-1.0.5/class/action/defaultaction.class.php
>>>> plog/branches/lifetype-1.0.5/class/action/resourceserveraction.class.php
>>>> plog/branches/lifetype-1.0.5/class/action/rssaction.class.php
>>>> plog/branches/lifetype-1.0.5/class/action/viewalbumaction.class.php
>>>> plog/branches/lifetype-1.0.5/class/action/viewarticleaction.class.php
>>>> plog/branches/lifetype-1.0.5/class/action/viewarticletrackbacksaction.class.php
>>>> plog/branches/lifetype-1.0.5/class/action/viewresourceaction.class.php
>>>> Log:
>>>> added some validation to all action classes, looks like we had forgotten
>>>> it
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>> **************************************
>> Jon Daley
>> http://jon.limedaley.com/
>>
>> Eat drink and be merry, for tomorrow they may make it illegal.
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>
> **************************************
> Jon Daley
> http://jon.limedaley.com/
>
> Faith is a simple trust in a personal redeemer.
> The simpler our trust in Christ for all things, the surer our peace.
> -- William Adams
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
**************************************
Jon Daley
http://jon.limedaley.com/
I won't pass the course, but I don't care.
-- Professor Maly
More information about the pLog-svn
mailing list