[mythtv-commits] Ticket #7809: SQL Escape problem in mythweb
MythTV
mythtv at cvs.mythtv.org
Sun Dec 27 21:58:46 UTC 2009
#7809: SQL Escape problem in mythweb
--------------------------------------+-------------------------------------
Reporter: achew22+mythtv@… | Owner: kormoc
Type: defect | Status: new
Priority: major | Milestone: unknown
Component: Plugin - MythWeb | Version: 0.22-fixes
Severity: medium | Mlocked: 0
--------------------------------------+-------------------------------------
In MythWeb's custom recording schedule page I tried to change a power
search I changed on of my listings from "ABC World News" to "ABC('s)?
World News". After hitting submit I got the dreaded (for SQL injections)
"There is an error in your custom SQL query: check the manual that
corresponds to your MySQL server version for the right syntax to use near
'World News' at line 1 [#1064]"
Version information:
MythWeb and MythTV are both from the Ubuntu 9.10 repositories so I assume
MythWeb is the same version but I have no proof of that.
achew22 at mythtv:~$ mythbackend --version
Please include all output in bug reports.
MythTV Version : 22594
MythTV Branch : branches/release-0-22-fixes
Network Protocol : 50
Library API : 0.22.20091023-1
QT Version : 4.5.2
Options compiled in:
linux profile using_oss using_alsa using_pulse using_jack using_backend
using_dvb using_firewire using_frontend using_glx_proc_addr_arb
using_hdhomerun using_hdpvr using_iptv using_ivtv using_joystick_menu
using_libfftw3 using_lirc using_mheg using_opengl_video using_opengl_vsync
using_qtwebkit using_v4l using_x11 using_xrandr using_xv using_xvmc
using_xvmc_vld using_xvmcw using_bindings_perl using_bindings_python
using_opengl using_vdpau using_ffmpeg_threads using_libavc_5_3 using_live
using_mheg
----
Steps to reproduce:
1) Go to mythweb
2) Go to the custom recording page ( http://127.0.0.1/tv/schedules/custom
)
3) Change the search type to a "Power search"
4) Change the title to "ABC('s)? World News"
5) Change the search phrase to "ABC World News"
6) Hit submit
Error message in full:
If you don't like the trac formating for this I put it on codepad
[http://codepad.org/sNEhEicp]
----
Error:
There is an error in your custom SQL query:
check the manual that corresponds to your MySQL server version for the
right syntax to use near 'World News' at line 1 [#1064]
Backtrace
Array
(
[0] => Array
(
[file] =>
/usr/share/mythtv/mythweb/classes/Database/Query/mysql.php
[line] => 85
[function] => error
[class] => Database
[object] => Database_mysql Object
(
[dbh] => Resource id #18
[error] => You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 'World News' at line 1 [#1064]
[err] => You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 'World News' at line 1
[errno] => 1064
[last_sh] => Database_Query_mysql Object
(
[dbh] => Resource id #18
[query] => Array
(
[0] => SELECT NULL FROM program,
channel WHERE ABC World News
)
[last_query] => SELECT NULL FROM program,
channel WHERE ABC World News
[warnings] => Array
(
)
[num_args_needed] => 0
[num_rows] =>
[affected_rows] => -1
[insert_id] => 0
[db] => Database_mysql Object
*RECURSION*
[sh] =>
)
[fatal_errors] =>
[query_count] => 22
[query_time] => 0.00631213188171
[global_name] => db
[destruct_handlers] => Array
(
[0] => Array
(
[f] => session_write_close
[p] =>
)
)
)
[type] => ->
[args] => Array
(
)
)
[1] => Array
(
[file] => /usr/share/mythtv/mythweb/classes/Database.php
[line] => 263
[function] => execute
[class] => Database_Query_mysql
[object] => Database_Query_mysql Object
(
[dbh] => Resource id #18
[query] => Array
(
[0] => SELECT NULL FROM program, channel WHERE
ABC World News
)
[last_query] => SELECT NULL FROM program, channel
WHERE ABC World News
[warnings] => Array
(
)
[num_args_needed] => 0
[num_rows] =>
[affected_rows] => -1
[insert_id] => 0
[db] => Database_mysql Object
(
[dbh] => Resource id #18
[error] => You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version for
the right syntax to use near 'World News' at line 1 [#1064]
[err] => You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near 'World News' at line 1
[errno] => 1064
[last_sh] => Database_Query_mysql Object
*RECURSION*
[fatal_errors] =>
[query_count] => 22
[query_time] => 0.00631213188171
[global_name] => db
[destruct_handlers] => Array
(
[0] => Array
(
[f] => session_write_close
[p] =>
)
)
)
[sh] =>
)
[type] => ->
[args] => Array
(
[0] => Array
(
)
)
)
[2] => Array
(
[file] =>
/usr/share/mythtv/mythweb/modules/tv/schedules_custom.php
[line] => 131
[function] => query
[class] => Database
[object] => Database_mysql Object
(
[dbh] => Resource id #18
[error] => You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 'World News' at line 1 [#1064]
[err] => You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 'World News' at line 1
[errno] => 1064
[last_sh] => Database_Query_mysql Object
(
[dbh] => Resource id #18
[query] => Array
(
[0] => SELECT NULL FROM program,
channel WHERE ABC World News
)
[last_query] => SELECT NULL FROM program,
channel WHERE ABC World News
[warnings] => Array
(
)
[num_args_needed] => 0
[num_rows] =>
[affected_rows] => -1
[insert_id] => 0
[db] => Database_mysql Object
*RECURSION*
[sh] =>
)
[fatal_errors] =>
[query_count] => 22
[query_time] => 0.00631213188171
[global_name] => db
[destruct_handlers] => Array
(
[0] => Array
(
[f] => session_write_close
[p] =>
)
)
)
[type] => ->
[args] => Array
(
[0] => SELECT NULL FROM program, channel WHERE ABC
World News
)
)
[3] => Array
(
[file] => /usr/share/mythtv/mythweb/modules/tv/schedules.php
[line] => 18
[args] => Array
(
[0] =>
/usr/share/mythtv/mythweb/modules/tv/schedules_custom.php
)
[function] => require_once
)
[4] => Array
(
[file] => /usr/share/mythtv/mythweb/modules/tv/handler.php
[line] => 87
[args] => Array
(
[0] =>
/usr/share/mythtv/mythweb/modules/tv/schedules.php
)
[function] => require_once
)
[5] => Array
(
[file] => /usr/share/mythtv/mythweb/mythweb.php
[line] => 35
[args] => Array
(
[0] =>
/usr/share/mythtv/mythweb/modules/tv/handler.php
)
[function] => require_once
)
)
--
Ticket URL: <http://svn.mythtv.org/trac/ticket/7809>
MythTV <http://www.mythtv.org/>
MythTV
More information about the mythtv-commits
mailing list