#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    1
    Rep Power
    0

    Help with a (possibly)outdated script


    Hello, I am not sure if this is the best place to ask or in fact if I am asking the right question. We have a phpbb board we have been using for a while. There was a mod that was developed for the board that uses mySql as far as I can tell however the mod developer has stopped developing the mod for quite some time.

    Luckily it has continued to work now long after it was stopped being update. Recently however, we have started getting the following error message on the board:

    Failed to add to the cache. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 'http://static.wowhead.com/images/wow/icons/tiny/.gif', 'en')' at line 1

    INSERT INTO `wowhead_item` (itemid, name, search_name, heroic, quality, icon, lang) VALUES (96409, '', '96409', 0, , 'http://static.wowhead.com/images/wow/icons/tiny/.gif', 'en')Failed to add to the cache. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 'http://static.wowhead.com/images/wow/icons/tiny/.gif', 'en')' at line 1

    Now I THINK that this relates to this bit of code:

    Code:
    public function saveItem($info)
    	{
    		if (sizeof($info) == 0 || !$this->connected)
    			return false;
    		$info = $this->prepareInfoArray($info);
    		$info['heroic'] = (array_key_exists('heroic', $info)) ? $info['heroic'] : 0;
    		$info['icon'] = (array_key_exists('icon', $info)) ? $info['icon'] : '';
    		$query_text = "INSERT INTO `" . WHP_DB_PREFIX . "item` (itemid, name, search_name, heroic, quality, icon, lang) VALUES ({$info['itemid']}, '{$info['name']}', '{$info['search_name']}', {$info['heroic']}, {$info['quality']}, '{$info['icon']}', '{$info['lang']}')";
    		if (!$this->sql->query($query_text))
    		{
    			$error = $this->sql->error();
    			$error = $error['message'];
    			echo 'Failed to add ' . $info['name'] . ' to the cache. ' . $error . '<br/><br/>' . $query_text;
    			return false;
    		}
    	}
    But I personally have next to no knowledge on SQL.

    All I want to know is if it can be determined from the above information if that script is indeed the culprit and whether it is easy to fix, also keeping in mind for myself that if there is an error in this section there could be elsewhere.

    Thanks!
  2. #2
  3. SQL Consultant
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2003
    Location
    Toronto Canada
    Posts
    27,204
    Rep Power
    4279
    according to the error message posted, you have failed to provide a value for the quality variable, resulting in two consecutive commas, which produces the syntax error

    moved your thread to the php forum for you
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    the deeper problem is that the database code has no escaping or security whatsoever. It takes whatever the variables happen to contain and dumps it in the query string. Your syntax error is only a harmless symptom of this. What if the variables contain actual SQL keywords, either by accident or by somebody putting them there on purpose? Pretty much anything could happen.

    So I think the best idea would be to get rid of that mod and look for a better alternative. The code was bad from the beginning, and when it's even abandoned now, this stuff could f*ck up your whole database or server. Don't take the risk. Especially since this is a public forum, so anybody could take advantage of that security hole.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo