cogdog
01-24-2008, 05:53 PM
I'm just into osTicket for first time. From database error messages, somewhere in the code, a single quote in a ticket subject is not beeing escaped (somewhere a string needs addslashes), however, not being familiar yet with the code, I cannot find where this is missing
[SELECT count(*) FROM ost_ticket ticket LEFT JOIN ost_department dept ON ticket.dept_id=dept.dept_id LEFT JOIN ost_ticket_priority pri ON ticket.priority_id=pri.priority_id LEFT JOIN ost_ticket_lock tlock ON ticket.ticket_id=tlock.ticket_id AND tlock.expire>NOW() WHERE 1 AND ( ticket.email LIKE '%can't%' OR ticket.name LIKE '%can't%' OR ticket.subject LIKE '%can't%' ) ] - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't%' OR ticket.name LIKE '%can't%' OR ticket.subject LIKE '%can't%' )' at line 1
Where-ever user input text is used as a criteria, the string must be addslashes() in advance or the query is tripped.
Also, on these DB error messages, it would be helpful to reference the file name where the error occurrs.
[SELECT count(*) FROM ost_ticket ticket LEFT JOIN ost_department dept ON ticket.dept_id=dept.dept_id LEFT JOIN ost_ticket_priority pri ON ticket.priority_id=pri.priority_id LEFT JOIN ost_ticket_lock tlock ON ticket.ticket_id=tlock.ticket_id AND tlock.expire>NOW() WHERE 1 AND ( ticket.email LIKE '%can't%' OR ticket.name LIKE '%can't%' OR ticket.subject LIKE '%can't%' ) ] - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't%' OR ticket.name LIKE '%can't%' OR ticket.subject LIKE '%can't%' )' at line 1
Where-ever user input text is used as a criteria, the string must be addslashes() in advance or the query is tripped.
Also, on these DB error messages, it would be helpful to reference the file name where the error occurrs.