Make WordPress Core

Opened 18 years ago

Closed 18 years ago

Last modified 18 years ago

#3722 closed defect (bug) (fixed)

DB error when sanitized search string results in empty query

Reported by: zippity's profile zippity Owned by: charleshooper's profile charleshooper
Milestone: 2.1.2 Priority: normal
Severity: normal Version: 2.1
Component: General Keywords: has-patch needs-testing 2nd-opinion
Focuses: Cc:

Description

When entering a comma "," into the search function, you get the following error displayed at top of page:

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND ((post_status = 'publish' OR post_status = 'private')) ORDER BY post_dat' at line 1]
SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND () AND ((post_status = 'publish' OR post_status = 'private')) ORDER BY post_date DESC LIMIT 0, 10


Multiple commas produce the same result.
If you enter anything in addition to the comma, it works fine.

Attachments (1)

wp_search.diff (790 bytes) - added by charleshooper 18 years ago.
Single comma search "hack"

Download all attachments as: .zip

Change History (12)

#1 @Viper007Bond
18 years ago

Confirmed.

@charleshooper
18 years ago

Single comma search "hack"

#2 @charleshooper
18 years ago

  • Owner changed from anonymous to charleshooper

This is kind of a hack actually. This basically just gets rid of the extra SQL formatting if $search is empty, thus getting rid of the database error when a user submits a single comma as a search term.

The result?

When a user submits a single comma search all _published_ posts are returned.

Everything else seems OK though.

#3 @charleshooper
18 years ago

  • Keywords has-patch needs-testing 2nd-opinion added
  • Status changed from new to assigned

#4 @charleshooper
18 years ago

  • Component changed from Security to General
  • Summary changed from Search string does not sanitize commas to DB error when sanitized search string results in empty query

I guess it's also worth mentioning that commas _are_ being sanitized. The reason for the error is that once the commas are gone WordPress attempts to wrap the search query with "AND ( $search )"

Since $search is null MySQL throws up an error.

#5 @Nazgul
18 years ago

  • Milestone changed from 2.1.1 to 2.1.2

#6 @Nazgul
18 years ago

The patch also fixes #3722.

#7 @Nazgul
18 years ago

I meant #3759.

#8 @ryan
18 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [4911]) Handle empty search query. Props charleshooper. fixes #3722 #3759

#9 @ryan
18 years ago

(In [4912]) Handle empty search query. Props charleshooper. fixes #3722 #3759

#11 @charleshooper
18 years ago

That's pretty annoying. Even without the fix there is no SQL injection vulnerability there whatsoever. The error is caused by an empty set of parenthesis. The keyword here is EMPTY.

I had spent a good deal of time making sure nothing could be passed to the query string (before and after this fix,) but I guess all it takes to post to a security mailing list is an email address.

Note: See TracTickets for help on using tickets.