Menu

#3 Error when changing number of results per page

open
nobody
None
5
2012-10-29
2008-02-17
Matt Painter
No

Fez version: 2.0RC1

There is a trivial request error when changing the number of results per page on the 'Assign Unpublished Items' screen.

The URL generated is:
http://192.168.5.52/fez/my_fez.php?rows=10?rows=10&pager_row_my_assigned=0#

Note the duplicate rows=10 request parameter and, more importantly, the incorrect duplicate question-mark preceding it.

What's more concerning is that 'rows=10&rows=10' is injected into the SQL, which makes Fez open for a SQL injection attack:

SELECT SQL_CALC_FOUND_ROWS DISTINCT r1.* FROM fez_record_search_key AS r1

INNER JOIN
fez_record_search_key_ismemberof as r8 on r8.rek_ismemberof_pid = r1.rek_pid and r8.rek_ismemberof IN ('archives:2','archives:2')
WHERE r1.rek_status != 2 ORDER BY r1.rek_title DESC, r1.rek_pid DESC LIMIT 10?rows=10 OFFSET 0
)

Discussion

  • Matt Painter

    Matt Painter - 2008-02-17

    Logged In: YES
    user_id=485632
    Originator: YES

    File Added: Fez bugs 2.png

     

  • Matt Painter

    Matt Painter - 2008-02-17

    Example of request error

     
    Thumbnail
    Fez bugs 2.png

  • Christiaan

    Christiaan - 2008-02-19

    Logged In: YES
    user_id=1331369
    Originator: NO

    This is something we have also noticed are will be addressed shortly.

     

  • Christiaan

    Christiaan - 2008-02-21

    Logged In: YES
    user_id=1331369
    Originator: NO

    Actually it's mainly the sql injection fixed in the commit below - the rows issue remains and will be resolved soon - Christiaan

     

Log in to post a comment.

MongoDB Logo MongoDB