-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unhandled mysqli exception in search with invalid search strings #844
Comments
Probably something to catch around Serendipity/include/genpage.inc.php Line 61 in 71f2c2d
|
…arch anyway + change alias to mysqli_real_escape_string
…not + change regex to only catch BOOLEAN Operator that prefix a word
#846) * Fix search issue with special characters, and escape them in SQL. #844 * Update functions_entries.inc.php Co-authored-by: Garvin Hicking <38074677+fe-hicking@users.noreply.github.com> * Update functions_entries.inc.php Co-authored-by: Garvin Hicking <38074677+fe-hicking@users.noreply.github.com> * #844 Simplify code removing If statement because we escape term search anyway + change alias to mysqli_real_escape_string * Issue #844 Bring back if statement to switch over boolean mode or not + change regex to only catch BOOLEAN Operator that prefix a word * Update regex boolean mode is trigger only on operator followed by words * Fix typo on regex * #844 add another regex to avoid boolean operator alone that could lead to error --------- Co-authored-by: Garvin Hicking <blog@garv.in> Co-authored-by: Garvin Hicking <38074677+fe-hicking@users.noreply.github.com>
This should be fixed now in current master, thanks to #846 by @GuillaumeValadas Thanks for the report @hannob ! I'll close here already, we can re-open if the issue remains or returns. |
Interestingly, I am still seeing such an error (longer stack trace this time) when applying this patch, but only on one of my s9y installations... Error new:
s9y installation where error still shows up at https://blog.hboeck.de/ - installation where fix appears to work at https://betterscience.org/ |
Looks as if it's related to the staticpage plugin? That one may have that search logic wrong, too... |
I'm monitoring my PHP error logs, which often helps me identify bugs in PHP applications.
Since a while, I'm regularly seeing unhandled mysqli exceptions by serendipity, like this:
What happens is that the search function of s9y can pass invalid search strings to mysql, and that causes this exception.
You can also test this on the main s9y blog, by passing a search string like "test -" into the search form:
https://blog.s9y.org/index.php?serendipity%5Baction%5D=search&serendipity%5BsearchTerm%5D=test+-&serendipity%5BsearchButton%5D=Los%21
This causes an error 500 for the user.
I think this should be caught somewhere and the user should get some form of error. I've looked a bit where to do that, but haven't yet written a patch, as it's not entirely obvious where to best handle this. The code in serendipity_searchEntries() is generic for various DB backends, but serendipity_db_query() doesn't really know that the query is a search, which could cause such errors.
Reporting it here, so maybe others can have a look.
The text was updated successfully, but these errors were encountered: