MySQL error...

Rich Z · April 15th, 2005, 01:12 PM

Quote:

An error was encountered during execution of the query:

REPLACE INTO class_admlog (adminuser,ip,datestamp,description) VALUES ('Liam's Herps','4.5.79.191','1113584846','Deleted product: Gabon_Web.jpg (Venomoid Gabon Viper)')

The query returned with an errorcode of:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's Herps','4.5.79.191','1113584846','Deleted product: Gabon_Web.

Looks like the program is stumbling if a user's name contains an embedded apostrophe.

Chuck S · April 15th, 2005, 01:38 PM

Whats your line 346-347 of adm-inc.php look like?

I have this which means slash is added to the name if an apostroshe is used

$username = addslashes($User['username']);
$query = "REPLACE INTO {$Globals['pp_db_prefix']}admlog (adminuser,ip,datestamp,description) VALUES ('$username','$ipaddr','$date','$what')";

Rich Z · April 15th, 2005, 02:27 PM

Quote:

Originally Posted by omegatron

Whats your line 346-347 of adm-inc.php look like?

I have this which means slash is added to the name if an apostroshe is used

$username = addslashes($User['username']);
$query = "REPLACE INTO {$Globals['pp_db_prefix']}admlog (adminuser,ip,datestamp,description) VALUES ('$username','$ipaddr','$date','$what')";

Here's what I have:

Quote:

$username = addslashes($User['username']);
$query = "REPLACE INTO {$Globals['pp_db_prefix']}admlog (adminuser,ip,datestamp,description) VALUES ('$username','$ipaddr','$date','$what')";

I cut and pasted it from my site. Looks the same to me....

Chuck S · April 16th, 2005, 07:35 AM

Yep thats why I asked your query has this

'Liam's Herps' and since we addslashes it should be 'Liam\'s Herps'

I would not be able to say why your system does not do what the code is telling it to do as in add a slash.

Rich Z · April 19th, 2005, 12:47 PM

Quote:

An error was encountered during execution of the query:

REPLACE INTO class_admlog (adminuser,ip,datestamp,description) VALUES ('Liam's Herps','71.111.132.12','1113923944','Deleted product: crested_female1.jpg (Adult Female Crested Gecko)')

The query returned with an errorcode of:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's Herps','71.111.132.12','1113923944','Deleted product: crested

Well, I am getting these every time this user deletes a product, and it is apparently a bug. SOMETHING is wrong somewhere, otherwise I wouldn't get this error message.

Chuck S · April 19th, 2005, 07:33 PM

Now that makes more sense you never said when deleting a products.

Thats a whole separate script

In adm-product.php find this

$ipaddr = findenv("REMOTE_ADDR");
$date = time();
$what = "Deleted product: $filename ($ptitle)";
$what = addslashes($what);
$query = "REPLACE INTO {$Globals['pp_db_prefix']}admlog (adminuser,ip,datestamp,description) VALUES ('{$User['username']}','$ipaddr','$date','$what')";
$resultb = ppmysql_query($query,$link);

change to this

$username = addslashes($User['username']);
$ipaddr = findenv("REMOTE_ADDR");
$date = time();
$what = "Deleted product: $filename ($ptitle)";
$what = addslashes($what);
$query = "REPLACE INTO {$Globals['pp_db_prefix']}admlog (adminuser,ip,datestamp,description) VALUES ('$username','$ipaddr','$date','$what')";
$resultb = ppmysql_query($query,$link);

Rich Z · April 19th, 2005, 09:43 PM

I didn't think I needed to repeat what was already mentioned in the error message.

Quote:

'Deleted product: crested_female1.jpg (Adult Female Crested Gecko)')

Chuck S · April 21st, 2005, 05:51 AM

LOL I dont read whole error messages. I read till I see the error and then post a fix.

Rich Z · April 22nd, 2005, 02:05 PM

OK, got some more errors for you:

Quote:

An error was encountered during execution of the query:

SELECT id FROM class_products WHERE userid='19929' AND cat='' AND bigimage='Macklot's Python.jpg'

The query returned with an errorcode of:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's Python.jpg'' at line 1

If you need assistence or feel this is a 'bug'; please report it to our support forums at: http://www.photopost.com/members/forum/f66/index.html

and

Quote:

An error was encountered during execution of the query:

INSERT INTO class_products (id,user,userid,cat,date,title,description,keywords,bigimage,bigimage2,bigimage3,approved,watermarked,ipaddress)
values(NULL,'lostathome69', 15994, , 1114189013, 'Male Yellow Germail Giant 434 Grams!', '', '', 'D', 'S', 'C',
1, '', '69.202.218.15')

The query returned with an errorcode of:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ' 1114189013, 'Male Yellow Germail Giant 434 Grams!', '', '', 'D

Did I cause these as well?

Rich Z · April 23rd, 2005, 12:47 PM

Got another error:

Quote:

An error was encountered during execution of the query:

SELECT id FROM class_products WHERE userid='17012' AND cat='' AND bigimage='kim's pictures 101.jpg'

The query returned with an errorcode of:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's pictures 101.jpg'' at line 1

Why is this program having such a difficult time with embedded slashes? Is this a problem stemming from taking user names from the vBulletin database instead of PhotoPost's own table?

Chuck S · April 23rd, 2005, 09:24 PM

Well this query is in line 232 of uploadproduct.php

$querya = "SELECT id FROM {$Globals['pp_db_prefix']}products WHERE userid='{$User['userid']}' AND cat='$defcat' AND bigimage='$realname'";

Your problem has nothing to do with slashes. Your cat variable is empty. It is looking for $defcat which is passed in the url

You can try replacing $defcat in the query with $category

The next one I will reserve comment till I think further on things

Frost · April 24th, 2005, 02:28 AM

Quote:

Originally Posted by omegatron

...snip... Your problem has nothing to do with slashes. ...snip...

In pp-inc.php find:

Code:

Content visible to verified customers only.

And replace with:

Code:

Content visible to verified customers only.

In uploadproduct.php find:

Code:

Content visible to verified customers only.

And replace with:

Code:

Content visible to verified customers only.

EDIT: Just making this post agree with the code changes so far.

Chuck S · April 24th, 2005, 12:03 PM

Now the main issue here has nothing to do with stripslashes as I note.

Code:

Content visible to verified customers only.

His $cat variable is empty which I posted a fix to try out.

I doubt your code is needed.

As far as the $realname issue The fixfilenames function strips the unwanted characters and I get no errors with Classifieds 2.3

Chuck S · April 24th, 2005, 12:17 PM

Rich

Are you using Classifieds 2.3? I uploaded an image with a ' in the title and our fixfilenames actually will rename the image to say this

{useridhere}s Python.jpg

I turned on email errors as well and get no error

Frost · April 24th, 2005, 12:35 PM

Code:

Content visible to verified customers only.

Note that the error is near 's pictures 101.jpg so IT IS a slashing issue. If you run the following query, you will NOT get an error (it has nothing to do with his $cat variable being empty):

Code:

Content visible to verified customers only.

If you look in uploadproduct.php for where $realname is used after is it addslashed, you should see that it won't cause a problem elsewhere, except for possibly echoing a slash in diewell, so fine, stripslash it there, big deal. Further note that $realname gets redefined by list soon after.

Chuck S · April 24th, 2005, 12:42 PM

Right but I need to know what version of the software he is using. I work with the current version when looking at the code.

I have email errors turned on. I posted a ad in 2.3 and the image is renamed by the fixfilename function and I get no errors emailed.

Furthermore the query your posting will fail as noted by me because the $cat variable is empty. Hense more information is needed on what version of the software is being used.

In the code you posted you do not want to add slashes before the query as if you insert the image with a addslash you will break the display of the image as I noted. Since we will be looking for say

1kim\'s_pictures_101.jpg

Yet the fixfilenames will rename the image like so and it will not be found.

1s_pictures_101.jpg

Hense any correction in code must be placed in the proper place for things to work. Thus I stated I would get back to him after I did some testing.

So far as noted I can not get an error in 2.3 on this issue.

Frost · April 24th, 2005, 12:52 PM

No, the addslashes to $realname does NOT insert a \' (as in literal backslash single quote) in the table. Also, in 2.3 look in uploadproduct.php for fixfilename and you will see it is not there, just checked.

Chuck S · April 24th, 2005, 12:54 PM

that is in pp-inc.php

In 2.3 I upload a photo with a slash in the name and I have email error's turned on and I get no error. If you are running 2.3 can you recieve this error?

Chuck S · April 24th, 2005, 01:10 PM

Seriously if you can replicate getting an error by email in 2.3 when trying to upload an image with a slash let me know.

I have tried 6 uploads now with no issues.

Frost · April 24th, 2005, 01:52 PM

From http://www.php.net/features.file-upload...

Quote:

Be sure to be careful with the $_FILES['userfile']['name'] array element. If the client uploads a file that has an apostrophe in the filename it WILL NOT get set to the full name of the file from the client's machine.

For example, if the client uploads a file named george's car.jpg the $_FILES['userfile']['name'] element will be set to s car.jpg because PHP appears to cut off everything before the apostrophe as well as the apostrophe itself.

This did not happen in some of the previous versions of PHP but I know that it happens in version 4.3.10 so watch out for this.

I thought this was a bug so I submitted it but it turns out that it is a "security measure"

So the fact that you cannot reproduce this MySQL slash problem is because of your version of PHP, not because the v.2.3 classifieds code is doing something special, because it is not. Look at the filenames is the data directory and the products table to see the truncations from PHP itself.

Now downgrade your PHP (who knows to what version) and you will get the same type of "error is near 's pictures 101.jpg" so again IT IS a slashing issue. Further, even though the function fixfilename is in pp-inc.php, the function fixfilename is NOT called on $realname in uploadproduct.php.