h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

This might be a very serious bug.

I went to edit my username again, and this time got two errors.

1. Trying to change my name to "d'Elaphant (and Zeppo is dog (and Gummo, Zeppo's dog))"
resulted in this error at the bottom of the page:

Warning: odbc_exec(): SQL error: [unixODBC][FreeTDS][SQL Server]Incorrect syntax near 'Elaphant'., SQL state 37000 in SQLExecDirect in /var/www/noresearcherleftbehind/application/models/Users.php on line 303


2. Trying it again, taking out the apostrophe in "d'Elaphant" but leaving in the one in "Zeppo's" resulted in this error:

Warning: odbc_exec(): SQL error: [unixODBC][FreeTDS][SQL Server]Unclosed quotation mark after the character string ' WHERE [UserID]=18695 '., SQL state 37000 in SQLExecDirect in /var/www/noresearcherleftbehind/application/models/Users.php on line 303

It looks like you can use an apostrophe to create an SQL injection, which could cause all sorts of trouble.

ooooh no guide entry on "sql injection". Must add that to my "to do" list.

d'E, I'll report this and quote you verbatim. I only just started getting chops in javascript by dint of the scripts you wrote the other year -- SQL is a whole nother bucket of fish.

"Incorrect syntax near 'Elaphant'."

heheh, I'm stealing that...

Since we don't yet have our own Guide Entry on SQL injections, I'll direct you to Bobby Tables, and reiterate that this could be a very very serious bug, which could lead to a corrupted database (I hope we have backups).

http://xkcd.com/327/
http://bobby-tables.com/

TRiG.

I tried to change my name today and couldn't call myself Trillian's Child - presumably because of the apostrophe. I didn't get the error message, though.

I forgot about Bobby Tables. And we do now have an (as yet unedited) entry on SQL Injection. I'll have to add the link to the xkcd comic. And I would share the link to my entry, but my user page has gone missing - I'm hoping that last one is a transient issue this morning.

Aha - still in my browser history - A87709783

Try using ’ instead of an apostrophe in your screen name - it works

... or... rather... it works intermittently...

Weird

For posterity: six7s name appears like this at the moment:

six7s - ’ is an apostrophe

Well, that's a curly quote. Try ' for a proper straight apostrophe.

What I meant by "weird" is that sometimes it looks like what TC posted...

And sometimes it looks like this:
six7s - ’ - it’s an apostrophe

Some sorta caching bug?

Anyhoo... that's a whole nother kettle of piranhas

Back on topic:
the SQL injection bug does have a 'workaround'