[pLog-svn] r3522 - plog/branches/lifetype-1.0.5/class/action
Jon Daley
plogworld at jon.limedaley.com
Sat Jun 3 23:45:32 GMT 2006
I will look into the referrer stuff more.
I have updated various blogs that I run, and they all seem to be working
fine, and since there is an opportunity to say how great subversion is - I
have the blog_domain code coded in a 1.0.4 blog, and it is now running
1.0.5, with a perfect merge of Oscar's fixes, and my locally modified
code. Subversion is great!
On Sun, 4 Jun 2006, Oscar Renalias wrote:
> It's part of the core.
>
> Take a look at BlogAction::_updateReferrer, we might need to add more
> validation there.
>
> On 4 Jun 2006, at 02:21, Jon Daley wrote:
>
>> I updated a blog to 1.0.5. I see this in the referrer logging:
>> 152969 Query INSERT INTO plog_statistics (`blog_id`,
>> `article_id`, `time`, `ip`, `refer`, `agent`) VAL
>> UES ('1',
>> '9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/*',
>> '20060603191915', '', '', '
>> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426
>> Firefox/1.5.0.3 WebWasher 3.4')
>>
>> I suppose this is okay, since it is quoted, and presumably any quoted
>> string will be escaped properly, but it would be nicer to have it just
>> fail, and not enter anything. Is the plog_statistics table a plugin, or is
>> that part of the core?
More information about the pLog-svn
mailing list