Infrequent but steady stream of database errors after upgrade

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • eschaum
    Member
    • Apr 2003
    • 46
    #1

    Infrequent but steady stream of database errors after upgrade

    Hi,

    I'm getting some recurring database errors after upgrading to rc3.

    The first might be related to users having an apostrophe in their user name. Here are 2 sample error messages:
    *************************
    Database error in vBulletin 3.5.0 Release Candidate 3:

    Invalid SQL:

    SELECT posts, userid, username FROM user AS user
    WHERE username = 'Greenglade's Frog';

    MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Frog'' at line 2
    Error Number : 1064
    Date : Wednesday, September 14th 2005 @ 01:47:05 AM
    Script : http://forum.yestalk.org/search.php?do=process&showposts=0&starteronly=1&exactname=1&searchuser=Greenglade\'s+Frog
    Referrer :
    IP Address : 65.19.150.227
    Username : Unregistered
    Classname : vb_database
    *************************
    Database error in vBulletin 3.5.0 Release Candidate 3:

    Invalid SQL:

    SELECT posts, userid, username FROM user AS user
    WHERE username = 'Roan's Lady';

    MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Lady'' at line 2
    Error Number : 1064
    Date : Tuesday, September 13th 2005 @ 11:42:32 PM
    Script : http://forum.yestalk.org/search.php?do=process&showposts=0&starteronly=1&exactname=1&searchuser=Roan\'s+Lady
    Referrer :
    IP Address : 65.19.150.227
    Username : Unregistered
    Classname : vb_database
    ************************


    Edit: The error listed below is likely from my host, they are reporting packet dropping problems with their routers.

    The second error is a not so specific, and could be something with my host, but I'm not sure:

    Database error in vBulletin :

    mysql_connect(): Lost connection to MySQL server during query
    /home/.hadrondryer/afterhrs/forum.yestalk.org/includes/class_core.php on line 265

    MySQL Error :
    Error Number :
    Date : Wednesday, September 14th 2005 @ 10:08:25 AM
    Script : http://forum.yestalk.org/attachment....1&d=1123616716
    Referrer : http://forum.yestalk.org/showthread.php?t=5405
    IP Address : 4.20.178.68
    Username :


    Classname : vb_database
    I normally wouldn't report a connection lost error, but I have dozens of these error messages and they all make reference to class_core.php on line 265.


    Any ideas what might be happening here?

    Thanks,

    Ed
    Last edited by eschaum; Wed 14 Sep '05, 10:20am.
    Tags: None
    • Steve Machol
      Former Customer Support Manager
      • Jul 2000
      • 154488
      #2
      The first thing I recommend is that you reupload all the original vB non-image files (except install.php). Make sure you upload these in ASCII format and overwrite the ones on the server.

      Next, create a new style and choose no parent style. This will force it to use the default templates. Finally empty your browser cache, close all browser windows then try again. Make sure you change to the new style and view your forums with it. Do you have the same problem?

      The second error is a server issue. You need to contact your host about this. See this post for the possible causes of a lost connection error:

      Error 2013 but server up for 6 days - vBulletin Community Forum
      http://www.vbulletin.com/forum/showthread.php?s=&postid=310265#post310265
      Hello, Ive been running vBulletin without any incident for about 8 months now. I've recently switched ISP's and when I transferred over to the new server I started getting error emails, always error 2013. I have been switched over for about 1 week now, some days i get 15-20, others I have gotten 150-200. I have asked my ISP
      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
      Change CKEditor Colors to Match Style (for 4.1.4 and above)

      Steve Machol Photography

      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • Mike Sullivan
          Former vBulletin Developer
          • Apr 2000
          • 13327
          • 3.6.x
          #3
          The first issue is a known and recently fixed bug.

            Comment

            • eschaum
              Member
              • Apr 2003
              • 46
              #4
              Originally posted by Mike Sullivan
              The first issue is a known and recently fixed bug.
              Thanks, I was getting worried that something went wrong during the upgrade.

              Ed

                Comment

                • Paul
                  Senior Member
                  • Dec 2001
                  • 824
                  • 3.6.x
                  #5
                  Hi Ed,

                  I reported the bug you listed here this morning after receiving a similar report yesterday, however it appears the bug is no longer viewable in the bug tracker. You'll note that both usernames contain apostrophes. Essentially, the username passed onto search when "exact match" is selected isn't properly prepped for the query to the database server and the apostrophes aren't backslashed (\'). In general, this sort of checking failure is a very bad thing in terms of nasty things that can be done by someone acting maliciously.

                  The change I've made to prevent this problem is quite simple, however I don't know if the same issue appears in other parts of the code (I certainly hope not!):

                  Open search.php and find the following line (part of a SELECT query):
                  PHP Code:
                  WHERE username " . iif($vbulletin->GPC['exactname'], "'$username'", "LIKE('%" . sanitize_word_for_sql($username) . "%'
                  Replace it with the following:
                  PHP Code:
                  WHERE username " . iif($vbulletin->GPC['exactname'], "'" . sanitize_word_for_sql($username) . "'", "LIKE('%" . sanitize_word_for_sql($username) . "%'
                  I have no idea if this appeared in earlier versions, but I only noticed it in 3.5 RC3. I very highly recommend that anyone running vBulletin 3.x check for the existance of the flawed code above and quickly implement this fix.

                  Best wishes,
                  Paul

                    Comment

                    • majorxp
                      Member
                      • Aug 2005
                      • 45
                      #6
                      The code in question was changed from RC2 to RC3... I would like to hear the official word as if Paul's revert to RC2 code is a good recommendation.


                      RC2
                      Code:
                              $username = sanitize_word_for_sql(htmlspecialchars_uni($vbulletin->GPC['searchuser']));
.
.
            WHERE username " . iif($vbulletin->GPC['exactname'], "= '$username'", "LIKE('%$username%')
                      RC3
                      Code:
                              $username = htmlspecialchars_uni($vbulletin->GPC['searchuser']);
.
.
            WHERE username " . iif($vbulletin->GPC['exactname'], "= '$username'", "LIKE('%" . sanitize_word_for_sql($username) . "%')

                        Comment

                        Previous template Next
                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...