JoomlaCode SQL error

If you have any 'mechanical' forge related issues/suggestions, pop them in here.

Moderators: RussW, RobInk, ChiefGoFor, facedancer

Post Reply
endi
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Thu Nov 16, 2006 10:24 am
Location: Pisa, Italy
Contact:

JoomlaCode SQL error

Post by endi » Thu Jul 19, 2007 9:14 am

If I open http://joomlacode.org/gf/project/ and search, for instance, "Joom!fish", I get an error page displaying the full SQL query. The error is due to the !. The query disclosure itself is a security risk, but if input is not sanitized and escaped correctly this could also lead to SQL injection, though I have not checked specifically whether Code is vulnerable to that.

endi
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Thu Nov 16, 2006 10:24 am
Location: Pisa, Italy
Contact:

Re: JoomlaCode SQL error

Post by endi » Sat Jul 21, 2007 10:08 am

To be more precise:

Enter * to return all
Could not execute query [Native Error: ERROR: syntax error] [User Info: SELECT headline(project.project_name, q) as project_name, headline(project.description, q) as description, project.project_id FROM project, projects_idx, to_tsquery('joom!fish') AS q WHERE (project.project_id=projects_idx.project_id AND (projects_idx.vectors @@ q)) ORDER BY rank(projects_idx.vectors, q) DESC]

User avatar
Tonie
Joomla! Ace
Joomla! Ace
Posts: 1585
Joined: Thu Aug 18, 2005 7:13 am
Contact:

Re: JoomlaCode SQL error

Post by Tonie » Sat Jul 21, 2007 3:42 pm

I'll put on my to do list for the people of GForge.
Antonie de Wilde - Forum admin

call2greg
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Jul 23, 2007 8:00 am

query execution error

Post by call2greg » Mon Jul 23, 2007 8:22 am

I am a new joomla user, I have this message underneath my page. How do I solve or remove it. The page display very well but underneath this load meassage. the queries execution number keep changing.

34 queries executed
1
SET sql_mode = 'MYSQL40'--------------------------------------------------------------------------------2
SELECT folder, element, published, params
FROM jos_mambots
WHERE published >= 1
AND access <= 0
AND folder = 'system'
ORDER BY ordering--------------------------------------------------------------------------------3
SELECT id, link
FROM jos_menu
WHERE menutype = 'mainmenu'
AND published = 1
ORDER BY parent, ordering
LIMIT 1

User avatar
Tonie
Joomla! Ace
Joomla! Ace
Posts: 1585
Joined: Thu Aug 18, 2005 7:13 am
Contact:

Re: JoomlaCode SQL error

Post by Tonie » Mon Jul 23, 2007 9:12 am

@calltogreg:

Different issue. Please disable debug mode in the administrator backend, the queries will go away.
Antonie de Wilde - Forum admin

User avatar
Tonie
Joomla! Ace
Joomla! Ace
Posts: 1585
Joined: Thu Aug 18, 2005 7:13 am
Contact:

Re: JoomlaCode SQL error

Post by Tonie » Mon Jul 23, 2007 9:14 am

@endi

Brad notified the people of GForge. It's acknowledged that this is not correct behaviour, they could not find a way to exploit this with malicious code. Hope this will be fixed in a future release.
Antonie de Wilde - Forum admin

call2greg
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Jul 23, 2007 8:00 am

Re: JoomlaCode SQL error

Post by call2greg » Mon Jul 23, 2007 3:38 pm

Thanks I did just that and it is out


Post Reply