Bug in the forum search



  • THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

    On 22/07/2010 at 13:12, xxxxxxxx wrote:

    Howdy,

    There seems to be a bug in the forum search. I remembered starting a post asking a question about MSG_UPDATE and wanted to reread the replies. So I typed in MSG_UPDATE in the forum search looking for topics, and it listed 2 topics started by me, but when I selected either topic I get this error:

    Server Error in Forum Application
    WARNING: SQL Injection attack detected.
    Please contact the forum administrator.

    Support Error Code:- err_Access_SqlInjectionTest()
    File Name:- functions_filters.asp

    Error details:-

    If I go back to the search and instead search for topics started by me, the 2 topics about MSG_UPDATE are included in the list, and when I click on them from that list, they're fine and I can read them.

    I'm curious if the "_" character in "MSG_UPDATE" is causing a problem in the search?

    Adios,
    Cactus Dan



  • THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

    On 22/07/2010 at 13:20, xxxxxxxx wrote:

    Howdy,

    Well, I tried other "MSG_" messages like "MSG_POINTS_CHANGED" and they seem to be fine in the search. Maybe it's just the "MSG_UPDATE" that causes the problem?

    Adios,
    Cactus Dan



  • THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

    On 22/07/2010 at 23:59, xxxxxxxx wrote:

    It seems to work fine here. Please try again.

    cheers,
    Matthias



  • THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

    On 23/07/2010 at 04:11, xxxxxxxx wrote:

    Confirmed here. Do the search, click on a topic, and bang, server error as Dan posted.



  • THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

    On 23/07/2010 at 04:23, xxxxxxxx wrote:

    A little more testing shows that this is because UPDATE is an SQL keyword. For some reason, it requires an underscore in front to cause the error. You can do a search for _SELECT or _DELETE (both SQL keywords) and get the same error. I guess any keyword will do it if it actually finds some search matches for that keyword.

    Just a silly bug in the database code, I think.



  • THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

    On 23/07/2010 at 06:18, xxxxxxxx wrote:

    Howdy,

    Yep, the same thing happens with UNDO_DELETE. But it only affects the search when you choose to show "Topics". If you choose to show "Posts" then it's fine.

    Adios,
    Cactus Dan



  • THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

    On 23/07/2010 at 06:40, xxxxxxxx wrote:

    Ah, I missed the point that you had to click on one of the listed topics. I can now confirm this too.

    cheers,
    Matthias



  • THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

    On 23/07/2010 at 06:43, xxxxxxxx wrote:

    I forwarded the issue.

    cheers,
    Matthias



  • THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

    On 23/07/2010 at 06:48, xxxxxxxx wrote:

    Howdy,

    Yeah, I normally like to list the topics so I can read the entire thread.

    That error has popped up before, but I thought it was just a random error.

    Adios,
    Cactus Dan


Log in to reply