WordPress.org

Make WordPress Core

Opened 16 years ago

Closed 16 years ago

Last modified 3 months ago

#1536 closed defect (bug) (fixed)

mysql errors with wp-mail after upgrade to 1.5.1.3 from 1.5.1.2

Reported by: tremaine Owned by: markjaquith
Milestone: Priority: high
Severity: major Version: 1.5.2
Component: Administration Keywords: mysql errors wp-mail bg|needs-patch bg|dev-feedback bg|2nd-opinion
Focuses: Cc:

Description

Original of wp-mail mysql problem at http://wordpress.org/support/topic/38746#post-225590

I just upgraded WP 1.5.1.2 to 1.5.1.3 (after backing up the entire directory and mysql db of course!) and can no longer post via email to my blog at http://blog.ddiction.com/

I get the following errors when going using wp-mail.php

WordPress database error: [You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's a very odd experience to see your arm and hand responding co]
INSERT INTO wp_posts (post_author, post_date, post_date_gmt, post_modified, post_modified_gmt, post_content, post_title, post_excerpt, post_category, post_status, post_name, comment_status, ping_status, post_parent) VALUES ('3', '2005-07-09 20:28:57', '2005-07-10 03:28:57', '2005-07-09 20:28:57', '2005-07-10 03:28:57', '

This is then followed by the content of the email post, then followed by more errors

WordPress database error: [You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near at line 3]
SELECT category_id FROM wp_post2cat WHERE post_id =

WordPress database error: [You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ' 1)' at line 2]
INSERT INTO wp_post2cat (post_id, category_id) VALUES (, 1)

WordPress database error: [You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1]
SELECT pinged FROM wp_posts WHERE ID =


Apache/2.0.54
PHP 4.4.0 (cli)
Zend Engine v1.3.0
mysql Ver 12.22 Distrib 4.0.24, for pc-linux-gnu (i686)

from mysql.log when going using wp-mail.php (edited to remove email addresses)

2 Init DB blog-ddiction
2 Query SELECT * FROM wp_users WHERE user_level > 0
050724 18:57:43 2 Query SELECT option_name, option_value FROM wp_options WHERE autol oad = 'yes'
1 Query SELECT username, crypt, "", uid, gid, pop, "", "", realname, "" FROM users WHERE username = "removed"
2 Query SELECT ID FROM wp_users WHERE user_email='removed ' ORDER BY ID DESC LIMIT 1
2 Query SELECT option_value FROM wp_options WHERE option_name = 'sub jectprefix'
2 Query SELECT post_name FROM wp_posts WHERE post_name = 'cuz-im-a-m eme-whore-and-my-brain-is-fried-from-working-over-the' AND post_status = 'publish' AND ID != LIMIT 1
2 Query INSERT INTO wp_posts
(post_author, post_date, post_date_gmt, post_modified, post_modified_gmt, post_c ontent, post_title, post_excerpt, post_category, post_status, post_name, comment_status, ping_st atus, post_parent)
VALUES ('3', '2005-07-24 17:43:11', '2005-07-25 00:43:11', '2005-07-24 17:43:11' , '2005-07-25 00:43:11', 'Congratulations on being the creator of a new
Evil Plan (tm)!
Your objective is simple: World Domination.

Your motive is a little bit more complex: Power

Stage One
To begin your plan, you must first assassinate a pope. This will
cause the world to whisper among themselves, alarmed by your
arrival. Who is this despoiler of all that is good and nice and
true? Where did they come from? And why do they look so good in
a corporate suit?

Stage Two
Next, you must seize control of the Internet. This will all be
done from a obsidian citadel, a mysterious place of unrivaled
dark glory. Upon seeing this, the world will gibber like madmen,
as countless hordes of computer programmers hasten to do your
every bidding.

Stage Three
Finally, you must prepare your corporate takeover, bringing
about a 1984 police state. Your name shall become synonymous
with fear, and no man will ever again dare cross you. Everyone
will bow before your cunning intelligence, and the world will
have no choice but to whisper your name in fear.', 'Cuz I'm a meme whore, and my brain i s fried from working over the', , '1', 'publish', 'cuz-im-a-meme-whore-and-my-brain-is-fried-f rom-working-over-the', 'open', 'open', '0')
2 Query UPDATE wp_posts SET guid = 'http://blog.ddiction.com/?p=' WH ERE ID =

2 Query SELECT category_id
FROM wp_post2cat
WHERE post_id =
2 Query INSERT INTO wp_post2cat (post_id, category_id)
VALUES (, 1)

If there is anything else I can provide that would help troubleshoot this, let me know.


Ok, more information to add to this whole mess. I've been firing a pile of test messages to my blog via email with different criteria.

It appears that the existence of a single apostrophe in the message or subject will break it.

Email length and subject line length doesn't matter.

Change History (6)

#1 @markjaquith
16 years ago

  • Keywords bg|needs-patch bg|dev-feedback bg|2nd-opinion added; with upgrade 1.5.1.3 removed
  • Milestone set to 1.6
  • Owner changed from anonymous to markjaquith
  • Severity changed from normal to major
  • Status changed from new to assigned

It would seem that the data isn't being properly escaped. This is also a potential security hole.

Either explicitly escaping the content, or adding this should fix it:

add_filter('phone_content', 'addslashes');

Might be a good time to review the other fields being posted, to see if any of them are a potential security risk.

#2 @tbhimdi
16 years ago

  • Version changed from 1.5.1.2 to 1.5.2

Fix fails if there is an apostrophe in the subject line, works otherwise.

I tested the subject line along with the patch in http://trac.wordpress.org/ticket/1515

#3 @tbhimdi
16 years ago

In your wp-mail.php file...

skippy:
Make sure the add_filter line occurs after this:
require(dirname(__FILE__) . '/wp-config.php');

#4 @tbhimdi
16 years ago

This fix works great for me in 1.5.2 along with the add_filter fix above.

skippy:
Alternately, add this to wp-mail.php to correctly handle apostrophes in the subject:
$subject = addslashes($subject[0]);

In a stock wp-mail.php, that should replace the contents of line 58.

#5 @matt
16 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed in 1.6 already.

#6 @(none)
15 years ago

  • Milestone 2.0 deleted

Milestone 2.0 deleted

Note: See TracTickets for help on using tickets.