[pLog-svn] r3522 - plog/branches/lifetype-1.0.5/class/action

Jon Daley plogworld at jon.limedaley.com
Sat Jun 3 23:45:32 GMT 2006

I will look into the referrer stuff more.

I have updated various blogs that I run, and they all seem to be working 
fine, and since there is an opportunity to say how great subversion is - I 
have the blog_domain code coded in a 1.0.4 blog, and it is now running 
1.0.5, with a perfect merge of Oscar's fixes, and my locally modified 
code.  Subversion is great!

On Sun, 4 Jun 2006, Oscar Renalias wrote:
> It's part of the core.
> Take a look at BlogAction::_updateReferrer, we might need to add more 
> validation there.
> On 4 Jun 2006, at 02:21, Jon Daley wrote:
>> I updated a blog to 1.0.5.  I see this in the referrer logging:
>>                 152969 Query       INSERT INTO plog_statistics (`blog_id`, 
>> `article_id`, `time`, `ip`,  `refer`, `agent`) VAL
>> UES ('1', 
>> '9999/**/UNION/**/SELECT/**/password,1,1,1,1,1,1,1/**/FROM/**/users/**/WHERE/**/id=1/*', 
>> '20060603191915', '', '', '
>> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060426 
>> Firefox/ WebWasher 3.4')
>> I suppose this is okay, since it is quoted, and presumably any quoted 
>> string will be escaped properly, but it would be nicer to have it just 
>> fail, and not enter anything.  Is the plog_statistics table a plugin, or is 
>> that part of the core?

More information about the pLog-svn mailing list