vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=252)
-   -   Anyone know what this weird error is? (https://vborg.vbsupport.ru/showthread.php?t=306047)

Disco_Dave 12-19-2013 06:44 AM
Anyone know what this weird error is?
 
We haven't had any errors in awhile, just seems strange.

PHP Code:
Database error in vBulletin 4.2.2:

Invalid SQL:
SELECT FROM vbuserregcode WHERE userregemail 'bell_o'reily9215@internetmarketerthemes.com';

MySQL Error   : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'reily9215@internetmarketerthemes.com'' at line 1
Error Number  1064
Request Date  WednesdayDecember 18th 2013 11:27:55 PM
Error Date    WednesdayDecember 18th 2013 11:27:57 PM
Script        http://www.nirc.co.uk/forums/joiningthenirc.php
Referrer      https://www.nirc.co.uk/forums/joiningthenirc.php?
IP Address    23.231.103.163
Username      Unregistered
Classname     vB_Database_MySQLi
MySQL Version 

billstelling 12-19-2013 07:05 AM
'bell_o'reily9215@internetmarketerthemes.com'

that is causing the error code. the ' mark.

Disco_Dave 12-19-2013 07:08 AM
Quote:
Originally Posted by billstelling (Post 2469382)
'bell_o'

that is causing the error code. the ' marks
Any idea on how to fix this? Thanks for the reply.

billstelling 12-19-2013 07:12 AM
take the ' out of the email address. he will have to use another email to join nirc.

Lynne 12-19-2013 05:37 PM
Or fix the query to accept the ' (use addslashes(htmlspecialchars_uni ? Sorry, it's been a while since I've done that.)

Zachery 12-19-2013 09:25 PM
You're not sanitizing your inputs, that file is just ready to bust out some nearly nasty SQLi

vBNinja 12-19-2013 10:38 PM
I highly recommend you get someone who knows how to securely handle queries to fix your code because as it is, anyone can easily drop any table in your database.

If you're the one one that coded it, simply pass your email variable through the $vbulletin->db->escape_string() function

ForceHSS 12-19-2013 10:48 PM
The ip belongs to a spam bot i see

ozzy47 12-19-2013 10:57 PM
If this code is vulnerable, then the mod needs to be grave yarded, https://vborg.vbsupport.ru/showthread.php?t=294164

--------------- Added [DATE]1387505631[/DATE] at [TIME]1387505631[/TIME] ---------------

Which I see it now is, 'quarantined'

BirdOPrey5 12-20-2013 01:16 AM
Yes I have quarantined the mod and informed the author of a security issue. I recommend anyone with this mod installed, disable it in product manager until an update is released.

ForceHSS 12-20-2013 01:35 AM
Use this myself but i recoded it sometime ago and have never had a problem so for now will keep it active

ozzy47 12-20-2013 01:36 AM
Quote:
Originally Posted by ForceHSS (Post 2469624)
Use this myself but i recoded it sometime ago and have never had a problem so for now will keep it active
Did you sanitize the inputs?

ForceHSS 12-20-2013 01:52 AM
Quote:
Originally Posted by ozzy47 (Post 2469625)
Did you sanitize the inputs?
Yes

Disco_Dave 12-20-2013 07:33 AM
So this all relates to this mod: Verify Mail before registration I have disabled this mod for now, following the email I got this morning. Do I need to do anything else?

BirdOPrey5 12-20-2013 10:18 AM
No, just wait and see if it gets updated, if it does you will get another email.

ForceHSS 12-20-2013 12:06 PM
Alternatively you can set a directive in the php.ini file to default to sanitizing all input for HTML safety:


Quote:
filter.default="special_chars"

BirdOPrey5 12-20-2013 12:20 PM
Quote:
Originally Posted by ForceHSS (Post 2469675)
Alternatively you can set a directive in the php.ini file to default to sanitizing all input for HTML safety:
According to this- http://www.w3schools.com/php/filter_...cial_chars.asp

That would not help an SQL injection since a single quote is not an HTML special character- this is only to prevent HTML not SQL injection.


All times are GMT. The time now is 06:00 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01233 seconds
  • Memory Usage 1,752KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php_printable
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (17)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete