mysql errors with wp-mail after upgrade to 1.5.1.3 from 1.5.1.2

[tremaine]

Original of wp-mail mysql problem at  http://wordpress.org/support/topic/38746#post-225590

I just upgraded WP 1.5.1.2 to 1.5.1.3 (after backing up the entire directory and mysql db of course!) and can no longer post via email to my blog at  http://blog.ddiction.com/

I get the following errors when going using wp-mail.php

WordPress database error: [You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's a very odd experience to see your arm and hand responding co] INSERT INTO wp_posts (post_author, post_date, post_date_gmt, post_modified, post_modified_gmt, post_content, post_title, post_excerpt, post_category, post_status, post_name, comment_status, ping_status, post_parent) VALUES ('3', '2005-07-09 20:28:57', '2005-07-10 03:28:57', '2005-07-09 20:28:57', '2005-07-10 03:28:57', '

This is then followed by the content of the email post, then followed by more errors

WordPress database error: [You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near at line 3] SELECT category_id FROM wp_post2cat WHERE post_id =

WordPress database error: [You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ' 1)' at line 2] INSERT INTO wp_post2cat (post_id, category_id) VALUES (, 1)

WordPress database error: [You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1] SELECT pinged FROM wp_posts WHERE ID =

---

Apache/2.0.54 PHP 4.4.0 (cli) Zend Engine v1.3.0 mysql Ver 12.22 Distrib 4.0.24, for pc-linux-gnu (i686)

from mysql.log when going using wp-mail.php (edited to remove email addresses)

2 Init DB blog-ddiction 2 Query SELECT * FROM wp_users WHERE user_level > 0 050724 18:57:43 2 Query SELECT option_name, option_value FROM wp_options WHERE autol oad = 'yes' 1 Query SELECT username, crypt, "", uid, gid, pop, "", "", realname, "" FROM users WHERE username = "removed" 2 Query SELECT ID FROM wp_users WHERE user_email='removed ' ORDER BY ID DESC LIMIT 1 2 Query SELECT option_value FROM wp_options WHERE option_name = 'sub jectprefix' 2 Query SELECT post_name FROM wp_posts WHERE post_name = 'cuz-im-a-m eme-whore-and-my-brain-is-fried-from-working-over-the' AND post_status = 'publish' AND ID != LIMIT 1 2 Query INSERT INTO wp_posts (post_author, post_date, post_date_gmt, post_modified, post_modified_gmt, post_c ontent, post_title, post_excerpt, post_category, post_status, post_name, comment_status, ping_st atus, post_parent) VALUES ('3', '2005-07-24 17:43:11', '2005-07-25 00:43:11', '2005-07-24 17:43:11' , '2005-07-25 00:43:11', 'Congratulations on being the creator of a new Evil Plan (tm)! Your objective is simple: World Domination.

Your motive is a little bit more complex: Power

Stage One To begin your plan, you must first assassinate a pope. This will cause the world to whisper among themselves, alarmed by your arrival. Who is this despoiler of all that is good and nice and true? Where did they come from? And why do they look so good in a corporate suit?

Stage Two Next, you must seize control of the Internet. This will all be done from a obsidian citadel, a mysterious place of unrivaled dark glory. Upon seeing this, the world will gibber like madmen, as countless hordes of computer programmers hasten to do your every bidding.

Stage Three Finally, you must prepare your corporate takeover, bringing about a 1984 police state. Your name shall become synonymous with fear, and no man will ever again dare cross you. Everyone will bow before your cunning intelligence, and the world will have no choice but to whisper your name in fear.', 'Cuz I'm a meme whore, and my brain i s fried from working over the', , '1', 'publish', 'cuz-im-a-meme-whore-and-my-brain-is-fried-f rom-working-over-the', 'open', 'open', '0') 2 Query UPDATE wp_posts SET guid = ' http://blog.ddiction.com/?p=' WH ERE ID = 2 Query SELECT category_id FROM wp_post2cat WHERE post_id = 2 Query INSERT INTO wp_post2cat (post_id, category_id) VALUES (, 1)

If there is anything else I can provide that would help troubleshoot this, let me know.

---

Ok, more information to add to this whole mess. I've been firing a pile of test messages to my blog via email with different criteria.

It appears that the existence of a single apostrophe in the message or subject will break it.

Email length and subject line length doesn't matter.

It would seem that the data isn't being properly escaped. This is also a potential security hole.

Either explicitly escaping the content, or adding this should fix it:

add_filter('phone_content', 'addslashes');

Might be a good time to review the other fields being posted, to see if any of them are a potential security risk.

Fix fails if there is an apostrophe in the subject line, works otherwise.

I tested the subject line along with the patch in  http://trac.wordpress.org/ticket/1515

In your wp-mail.php file...

skippy:
Make sure the add_filter line occurs after this:
require(dirname(__FILE__) . '/wp-config.php');

This fix works great for me in 1.5.2 along with the add_filter fix above.

skippy:
Alternately, add this to wp-mail.php to correctly handle apostrophes in the subject:
$subject = addslashes($subject[0]);

In a stock wp-mail.php, that should replace the contents of line 58.

Fixed in 1.6 already.

Milestone 2.0 deleted