#3722 closed defect (bug) (fixed)
DB error when sanitized search string results in empty query
Reported by: | zippity | Owned by: | charleshooper |
---|---|---|---|
Milestone: | 2.1.2 | Priority: | normal |
Severity: | normal | Version: | 2.1 |
Component: | General | Keywords: | has-patch needs-testing 2nd-opinion |
Focuses: | Cc: |
Description
When entering a comma "," into the search function, you get the following error displayed at top of page:
WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND ((post_status = 'publish' OR post_status = 'private')) ORDER BY post_dat' at line 1]
SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND () AND ((post_status = 'publish' OR post_status = 'private')) ORDER BY post_date DESC LIMIT 0, 10
Multiple commas produce the same result.
If you enter anything in addition to the comma, it works fine.
Attachments (1)
Change History (12)
#2
@
18 years ago
- Owner changed from anonymous to charleshooper
This is kind of a hack actually. This basically just gets rid of the extra SQL formatting if $search
is empty, thus getting rid of the database error when a user submits a single comma as a search term.
The result?
When a user submits a single comma search all _published_ posts are returned.
Everything else seems OK though.
#3
@
18 years ago
- Keywords has-patch needs-testing 2nd-opinion added
- Status changed from new to assigned
#4
@
18 years ago
- Component changed from Security to General
- Summary changed from Search string does not sanitize commas to DB error when sanitized search string results in empty query
I guess it's also worth mentioning that commas _are_ being sanitized. The reason for the error is that once the commas are gone WordPress attempts to wrap the search query with "AND ( $search )
"
Since $search
is null MySQL throws up an error.
#10
@
18 years ago
Is labeled an WordPress Search Function SQL-Injection on seclists today.
#11
@
18 years ago
That's pretty annoying. Even without the fix there is no SQL injection vulnerability there whatsoever. The error is caused by an empty set of parenthesis. The keyword here is EMPTY.
I had spent a good deal of time making sure nothing could be passed to the query string (before and after this fix,) but I guess all it takes to post to a security mailing list is an email address.
Confirmed.