The Arcive of Official vBulletin Modifications Site.

BUG: apostrophes kill the PM feature · **Released**: 10-25-2006

I just had a user get the following SQL error:

Quote:

mySQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'a'smooch', 'Your Highscore got beaten', '[size=1][i]This is an automatically gen' at line 1
mySQL error code:
Date: Wednesday 25th of October 2006 10:04:14 AM

The user's name is Mr. Wink'a'smooch.

I told him it was cause his name was horrible, but I thought I'd let you know anyway...

MrZeropage · #2 10-26-2006, 08:47 AM

should be fixed in v2.5.7+ and work fine there

Ziki · #3 10-26-2006, 12:57 PM

Dude sql injection!THis is a total hacking pie!
Don't forget addslashes!

fly · #4 10-26-2006, 01:26 PM

omy

dfsafasd

MrZeropage · #5 10-26-2006, 01:32 PM

This is all good in v2.5.7+

and no injection-problem because only valid data (username and predefined texts) arrive there, no external data

Mark.B · #6 10-26-2006, 02:01 PM

Quote:

Originally Posted by MrZeropage

This is all good in v2.5.7+

and no injection-problem because only valid data (username and predefined texts) arrive there, no external data

Any chance of a fix for this in earlier vesions when you get a moment?

Ziki · #7 10-31-2006, 04:44 PM

Quote:

Originally Posted by MrZeropage

This is all good in v2.5.7+

and no injection-problem because only valid data (username and predefined texts) arrive there, no external data

But knowing this I can create an username for example ' OR ''=' OR '1'='1 or others like that

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.03990 seconds Memory Usage 2,250KB Queries Executed 22 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (3)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)modsystem_post (1)navbar (6)navbar_link (120)option (7)post_thanks_box (7)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (7)post_thanks_postbit_info (6)postbit (7)postbit_onlinestatus (7)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!