double quotes crash Phpdig

Rolandks · 10-03-2003, 08:18 AM

+ exact words
+ "reference documentation" in quotes

Search for test

mysql_num_rows(): supplied argument is not a valid MySQL result resource on libs/search_function.php in line 164

Possible solution:
In Line 53: quotes and other things which crashes a MySQL-Query must delete.

Iltud · 10-04-2003, 01:29 PM

Hi,

I'm not sure, but can this bug cause a critical SQL insertion with a "drop table" query ?

For example if the searched words are like this :

none';drop table keywords;select * from keywords where etc...

Nicolas.

Charter · 10-05-2003, 11:52 AM

Hi. Please check and see if you can break it again. Thanks.

Iltud · 10-05-2003, 12:22 PM

Edit for Solution :

After chekcing, there is no possibilty to include SQL code. But there is effectivly a bug as Roland said.

All quotes are badly stripped.

At the begining "reference documentation" is transformed in \"reference documentation\".

At line #100 in search_function.php it's then transformed in \reference documentation\ (quotes disappear).

Then, each word, separated by a space, is used in a query. In Roland's case, this give two queries with :

.... AND k.keyword like '\reference%'
and
.... AND k.keyword like 'documentation\%'

Of course, this cause mySql to fail.

IMHO, a solution could be around lines 97-103.

Thanks,
Nicolas.

Charter · 10-05-2003, 02:20 PM

Hi. In search_function.php find:

PHP Code:


			
$query_to_parse = trim(ereg_replace(" +"," ",$query_to_parse)); // no more than 1 blank

and before it add:

PHP Code:


			
if (eregi("[^[:alnum:]^ +]+",$query_to_parse)) { $query_to_parse = eregi_replace("[^[:alnum:]^ ]+"," ",$query_to_parse); }

Also, in search_function.php find:

PHP Code:


			
$kconds[$ncrit] .= " AND k.keyword ".$like_operator[$option]." '".$like_start[$option].$regs[2].$like_end[$option]."' ";

and replace with:

PHP Code:


			
$kconds[$ncrit] .= " AND k.keyword ".$like_operator[$option]." '".$like_start[$option].stripslashes($regs[2]).$like_end[$option]."' ";

Of course, remove any "word" wrapping in the above code.

manute · 10-15-2003, 06:52 AM

hey, i just wanted to post that bug, but fortunately there's a solution already. great. thanks. :-)

chazter · 10-21-2003, 01:40 PM

Thanks for the solution with the double quotes. Much appreciated. It worked for me.

barrett_lyon · 10-24-2003, 12:40 PM

I have yet to test it, but I am pretty sure anyone can inject mysql queries into the search field. Sorry I have not researched the code on my own, I am hoping someone else has already done that effort.

Also, I have wrote some code that allows regex searches. Is there an easy way to submit a diff?

Charter · 10-24-2003, 03:36 PM

Hi. The code eregi_replace("[^[:alnum:]^ ]+"," ",$query_to_parse); takes everything that is not a number, letter, or space and replaces it with a space. This happens before $kconds[$ncrit] is formed, where $kconds[$ncrit] is used to make the mysql query from the search field. Please do examine the code. The more eyes, the better.

The regex code sounds cool. Please post it in the Mod Submissions forum.

10-05-2003, 11:52 AM	#3
Charter Head Mole Join Date: May 2003 Posts: 2,539	Hi. Please check and see if you can break it again. Thanks. __________________ Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.

10-05-2003, 12:22 PM	#4
Iltud Green Mole Join Date: Sep 2003 Location: Brest - France Posts: 22	Edit for Solution : After chekcing, there is no possibilty to include SQL code. But there is effectivly a bug as Roland said. All quotes are badly stripped. At the begining "reference documentation" is transformed in \"reference documentation\". At line #100 in search_function.php it's then transformed in \reference documentation\ (quotes disappear). Then, each word, separated by a space, is used in a query. In Roland's case, this give two queries with : .... AND k.keyword like '\reference%' and .... AND k.keyword like 'documentation\%' Of course, this cause mySql to fail. IMHO, a solution could be around lines 97-103. Thanks, Nicolas. Last edited by Iltud; 10-05-2003 at 01:37 PM.

10-05-2003, 02:20 PM	#5
Charter Head Mole Join Date: May 2003 Posts: 2,539	Hi. In search_function.php find: PHP Code: `$query_to_parse = trim(ereg_replace(" +"," ",$query_to_parse)); // no more than 1 blank` and before it add: PHP Code: `if (eregi("[^[:alnum:]^ +]+",$query_to_parse)) { $query_to_parse = eregi_replace("[^[:alnum:]^ ]+"," ",$query_to_parse); }` Also, in search_function.php find: PHP Code: `$kconds[$ncrit] .= " AND k.keyword ".$like_operator[$option]." '".$like_start[$option].$regs[2].$like_end[$option]."' ";` and replace with: PHP Code: `$kconds[$ncrit] .= " AND k.keyword ".$like_operator[$option]." '".$like_start[$option].stripslashes($regs[2]).$like_end[$option]."' ";` Of course, remove any "word" wrapping in the above code. __________________ Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.

10-24-2003, 12:40 PM	#8
barrett_lyon Green Mole Join Date: Oct 2003 Location: Los Angeles Posts: 1	mysql injection possibility I have yet to test it, but I am pretty sure anyone can inject mysql queries into the search field. Sorry I have not researched the code on my own, I am hoping someone else has already done that effort. Also, I have wrote some code that allows regex searches. Is there an easy way to submit a diff?

10-24-2003, 03:36 PM	#9
Charter Head Mole Join Date: May 2003 Posts: 2,539	Hi. The code eregi_replace("[^[:alnum:]^ ]+"," ",$query_to_parse); takes everything that is not a number, letter, or space and replaces it with a space. This happens before $kconds[$ncrit] is formed, where $kconds[$ncrit] is used to make the mysql query from the search field. Please do examine the code. The more eyes, the better. The regex code sounds cool. Please post it in the Mod Submissions forum. __________________ Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.

10-03-2003, 08:18 AM	#1
Rolandks Purple Mole Join Date: Sep 2003 Location: Kassel, Germany Posts: 119	double quotes crash Phpdig + exact words + "reference documentation" in quotes Search for test mysql_num_rows(): supplied argument is not a valid MySQL result resource on libs/search_function.php in line 164 Possible solution: In Line 53: quotes and other things which crashes a MySQL-Query must delete. __________________ -Roland- :: Test PhpDig 1.6.2 here :: - :: Test-Search for (little) Intelligent Php-Dig Fuzzy :: Last edited by Rolandks; 10-03-2003 at 08:24 AM.

10-04-2003, 01:29 PM	#2
Iltud Green Mole Join Date: Sep 2003 Location: Brest - France Posts: 22	Hi, I'm not sure, but can this bug cause a critical SQL insertion with a "drop table" query ? For example if the searched words are like this : none';drop table keywords;select * from keywords where etc... Nicolas.

10-15-2003, 06:52 AM	#6
manute Orange Mole Join Date: Oct 2003 Location: hamburg, germany Posts: 52	hey, i just wanted to post that bug, but fortunately there's a solution already. great. thanks. :-)

10-21-2003, 01:40 PM	#7
chazter Green Mole Join Date: Sep 2003 Posts: 8	Thanks for the solution with the double quotes. Much appreciated. It worked for me.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
URLs containing single quotes	mmaattttt	Troubleshooting	2	08-26-2004 09:03 PM
How can I restart spidering after crash?	yapuka	How-to Forum	12	05-19-2004 03:13 AM
speed of search and filter out double results	marb	How-to Forum	1	03-29-2004 11:38 AM
double install	marb	How-to Forum	1	03-10-2004 03:40 PM
search phrases in quotes?	rediray	How-to Forum	1	10-03-2003 06:39 PM