Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 10:39 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 
Author Message
PostPosted: Sun Feb 10, 2008 11:14 am 
Offline
Newbie

Joined: Wed Feb 06, 2008 3:06 am
Posts: 38
Apostrophes cause errors on the Manual data page. Any conjunctions or possessives (Yes, English terms, lol) cause an error like

[code]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's',[/code]

This happened on a " 's "
I am adding more fields for our systems to fit our needs, but it's hard to explain to end users that they can't use apostrophes.

*Edit - more info
Double quotes, semicolons, commas work fine. Also, If I use a \' Then the apostrophe saves correctly. I understand what's happening, but I am not a code guru like you guys, so I can't even think of where to start to fix it. :oops:

_________________
[size=85]OA Server: W2k3/IIS/PHP5/MySQL
Currently auditing 558 servers, 138 Workstations
LDAP=AD, Audit interval ~ once/month[/size]


Top
 Profile  
Reply with quote  
PostPosted: Wed Mar 17, 2010 7:16 am 
Offline
Newbie

Joined: Tue Jun 23, 2009 9:15 am
Posts: 4
I'm using a svn build from December and this still seems to happen. Looks like improperly escaped input.


Top
 Profile  
Reply with quote  
PostPosted: Wed Mar 17, 2010 10:05 am 
Offline
Newbie

Joined: Tue Jun 23, 2009 9:15 am
Posts: 4
On Version 09.12.23

https://server/open-audit/system_post.php

POST=pc=4C4C4544-0050-4A10-8038-B8C04F504C31&category=manual&view=summary&system_man_location=place&system_man_date_of_purchase=2010-03-03&system_man_value=&system_man_serial_number=&system_man_description=Faculty%27s+Computer&save=Save

[code]
Fatal Error:

UPDATE `system_man` SET `system_man_value` = '', `system_man_description` = 'Faculty's Computer', `system_man_location` = 'place', `system_man_serial_number` = '', `system_man_date_of_purchase` = '2010-03-03' WHERE `system_man_uuid` = '4C4C4544-0050-4A10-8038-B8C04F504C31'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Computer', `system_man_location` = 'place', `sy' at line 1

Array
(
[pc] => 4C4C4544-0050-4A10-8038-B8C04F504C31
[category] => manual
[view] => summary
[system_man_location] => place
[system_man_date_of_purchase] => 2010-03-03
[system_man_value] =>
[system_man_serial_number] =>
[system_man_description] => Faculty's Computer
[save] => Save
[PORTALTHEME] => standard_0,1
[__utma] => 224820510.1013121998.1178840920.1178840920.1178840920.1
[__qca] => 1178841293-56926504-8570938
)
[/code]


Last edited by crbarahona on Wed Mar 17, 2010 10:48 am, edited 2 times in total.

Top
 Profile  
Reply with quote  
PostPosted: Wed Mar 17, 2010 11:09 am 
Offline
Newbie

Joined: Tue Jun 23, 2009 9:15 am
Posts: 4
Should be noted, that this doesn't occur by default prior to PHP 5.3 because magic_quotes is on by default prior to 5.3. This escapes posted variables 'automagically'. If magic_quotes is off (deprecated as of 5.3) then the problem occurs. Most if not all the input should be escaped prior to use, but to deal with this specific problem, you can get by adjusting the following:

system_post.php:51

original
[code]
$sql .= "`system_man_value` = '" . $_REQUEST['system_man_value'] . "', ";
$sql .= "`system_man_description` = '" . $_REQUEST['system_man_description'] . "', ";
$sql .= "`system_man_location` = '" . $_REQUEST['system_man_location'] . "', ";
$sql .= "`system_man_serial_number` = '" . $_REQUEST['system_man_serial_number'] . "', ";
[/code]

patched

[code]
$sql .= "`system_man_value` = '" . mysql_real_escape_string($_REQUEST['system_man_value']) . "', ";
$sql .= "`system_man_description` = '" . mysql_real_escape_string($_REQUEST['system_man_description']) . "', ";
$sql .= "`system_man_location` = '" . mysql_real_escape_string($_REQUEST['system_man_location']) . "', ";
$sql .= "`system_man_serial_number` = '" . mysql_real_escape_string($_REQUEST['system_man_serial_number']) . "', ";
[/code]


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group