Bug in the forum search

THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

On 22/07/2010 at 13:12, xxxxxxxx wrote:

Howdy,

There seems to be a bug in the forum search. I remembered starting a post asking a question about MSG_UPDATE and wanted to reread the replies. So I typed in MSG_UPDATE in the forum search looking for topics, and it listed 2 topics started by me, but when I selected either topic I get this error:

Server Error in Forum Application
WARNING: SQL Injection attack detected.
Please contact the forum administrator.

Support Error Code:- err_Access_SqlInjectionTest()
File Name:- functions_filters.asp

Error details:-

If I go back to the search and instead search for topics started by me, the 2 topics about MSG_UPDATE are included in the list, and when I click on them from that list, they're fine and I can read them.

I'm curious if the "_" character in "MSG_UPDATE" is causing a problem in the search?

Adios,
Cactus Dan

THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

On 22/07/2010 at 13:20, xxxxxxxx wrote:

Howdy,

Well, I tried other "MSG_" messages like "MSG_POINTS_CHANGED" and they seem to be fine in the search. Maybe it's just the "MSG_UPDATE" that causes the problem?

Adios,
Cactus Dan

THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

On 22/07/2010 at 23:59, xxxxxxxx wrote:

It seems to work fine here. Please try again.

cheers,
Matthias

THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

On 23/07/2010 at 04:11, xxxxxxxx wrote:

Confirmed here. Do the search, click on a topic, and bang, server error as Dan posted.

THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

On 23/07/2010 at 04:23, xxxxxxxx wrote:

A little more testing shows that this is because UPDATE is an SQL keyword. For some reason, it requires an underscore in front to cause the error. You can do a search for _SELECT or _DELETE (both SQL keywords) and get the same error. I guess any keyword will do it if it actually finds some search matches for that keyword.

Just a silly bug in the database code, I think.

THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

On 23/07/2010 at 06:18, xxxxxxxx wrote:

Howdy,

Yep, the same thing happens with UNDO_DELETE. But it only affects the search when you choose to show "Topics". If you choose to show "Posts" then it's fine.

Adios,
Cactus Dan

THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

On 23/07/2010 at 06:40, xxxxxxxx wrote:

Ah, I missed the point that you had to click on one of the listed topics. I can now confirm this too.

cheers,
Matthias

THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

On 23/07/2010 at 06:43, xxxxxxxx wrote:

I forwarded the issue.

cheers,
Matthias

THE POST BELOW IS MORE THAN 5 YEARS OLD. RELATED SUPPORT INFORMATION MIGHT BE OUTDATED OR DEPRECATED

On 23/07/2010 at 06:48, xxxxxxxx wrote:

Howdy,

Yeah, I normally like to list the topics so I can read the entire thread.

That error has popped up before, but I thought it was just a random error.

Adios,
Cactus Dan