WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#3722 closed defect (bug) (fixed)

DB error when sanitized search string results in empty query

Reported by: zippity Owned by: charleshooper
Milestone: 2.1.2 Priority: normal
Severity: normal Version: 2.1
Component: General Keywords: has-patch needs-testing 2nd-opinion
Focuses: Cc:

Description

When entering a comma "," into the search function, you get the following error displayed at top of page:

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND ((post_status = 'publish' OR post_status = 'private')) ORDER BY post_dat' at line 1]
SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND () AND ((post_status = 'publish' OR post_status = 'private')) ORDER BY post_date DESC LIMIT 0, 10


Multiple commas produce the same result.
If you enter anything in addition to the comma, it works fine.

Attachments (1)

wp_search.diff (790 bytes) - added by charleshooper 8 years ago.
Single comma search "hack"

Download all attachments as: .zip

Change History (12)

comment:1 @Viper007Bond8 years ago

Confirmed.

@charleshooper8 years ago

Single comma search "hack"

comment:2 @charleshooper8 years ago

  • Owner changed from anonymous to charleshooper

This is kind of a hack actually. This basically just gets rid of the extra SQL formatting if $search is empty, thus getting rid of the database error when a user submits a single comma as a search term.

The result?

When a user submits a single comma search all _published_ posts are returned.

Everything else seems OK though.

comment:3 @charleshooper8 years ago

  • Keywords has-patch needs-testing 2nd-opinion added
  • Status changed from new to assigned

comment:4 @charleshooper8 years ago

  • Component changed from Security to General
  • Summary changed from Search string does not sanitize commas to DB error when sanitized search string results in empty query

I guess it's also worth mentioning that commas _are_ being sanitized. The reason for the error is that once the commas are gone WordPress attempts to wrap the search query with "AND ( $search )"

Since $search is null MySQL throws up an error.

comment:5 @Nazgul8 years ago

  • Milestone changed from 2.1.1 to 2.1.2

comment:6 @Nazgul8 years ago

The patch also fixes #3722.

comment:7 @Nazgul8 years ago

I meant #3759.

comment:8 @ryan8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [4911]) Handle empty search query. Props charleshooper. fixes #3722 #3759

comment:9 @ryan8 years ago

(In [4912]) Handle empty search query. Props charleshooper. fixes #3722 #3759

comment:11 @charleshooper8 years ago

That's pretty annoying. Even without the fix there is no SQL injection vulnerability there whatsoever. The error is caused by an empty set of parenthesis. The keyword here is EMPTY.

I had spent a good deal of time making sure nothing could be passed to the query string (before and after this fix,) but I guess all it takes to post to a security mailing list is an email address.

Note: See TracTickets for help on using tickets.