Possible SQL injection vuln. Apostrophe in post creates SQL error
|Reported by:||knowtown||Owned by:|
|Component:||Security||Keywords:||apostrophe sql error|
I am not sure if this is the right place to post this but I was referred here after not being able to resolve my issue in the WordPress forums (http://wordpress.org/support/topic/108207?replies=15).
Long story short I upgraded my blog to 2.1.1 and now whenever I type a post that has an apostrophe character I get an error like this:
WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's excerpt that is creating error' at line 1] UPDATE wp_posts SET post_content = 'The complete text of the post displays here. in this post would be the post's excerpt that is creating the error.' WHERE ID = '628'
I had two good suggestions to try. First was to create a new WordPress blog with a clean install into a new directory and a new database, which I did (using Fantastico) and still got the same error. Second was to contact my host provider (Bluehost) to see if there was something wrong in my sql database. My host provider confirmed that my setting were correct.
Then I discovered that when I typed up a post in MS Word and pasted it into WordPress the post would publish with no error. When I cut and paste, the apostrophe appears in the post edit window as a curly quote (like a comma) but when I type directly in the edit window the apostrophe appears as a straight line (like a vertical tick mark). If I am reading previous problems on the forum correctly this is opposite what most people experience. It seems most people have errors when they cut and paste from Word.
Some suggested I try some plugins that disable smart quotes and I did try "quotemark replacer" and "unfancy quote" with no success. I also verified that the problem only happens with apostrophe/single quote and not with double quotes.
I also host a friends blog in a different folder with a different database. That blog has not been upgraded and is not experiencing any of these errors. So it seems that there is something strange in the combination of my server, WordPress 2.1.1 and using the apostrophe character.
The error will appear the very first autosave/save after an apostrophe character is typed. Then when you publish the post it takes you to an error screen. If you exit that screen the post actually does publish so I the overall problem is not a deal breaker but the error is annoying. I sure would love to know if there is a way to resolve it.
If anyone has any thoughts or can point me in new direction I would appreciate it.
Change History (8)
10 years ago
- Resolution set to invalid
- Status changed from new to closed
- Resolution invalid deleted
- Status changed from closed to reopened
10 years ago
- Component changed from General to Security
- Keywords reporter-feedback dev-feedback added
- Priority changed from normal to high
- Severity changed from normal to critical
- Summary changed from apostrophe in post creates database SQL error to Possible SQL injection vuln. Apostrophe in post creates SQL error