Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Closed)
 V33(.02) BUG+FIX?: Forum Title containing '		  Forum Locked  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

eleven
Starting Member

Turkey
32 Posts
Posted - 06 August 2001 :  17:06:13  Show Profile
When we use the character ' in the Forum title I get this error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Sürücüsü] ''Eleven's Test Forums 2000' WHERE C_VARIABLE = 'strForumTitle'' sorgu ifadesi içindeki Sözdizimi hatası (eksik işleç)

/snitz2/admin_config_system.asp, line 108

Steps to reproduce:
1) Setup snitz 3.3.0.2
2) Login as admin.
3) Click Admin Options
4) Click 'Main Forum Configuration'
5) Change the Forum Title as Eleven's Test Forums (or ay other that includes ' )
6) Click Submit New Config

Thanks...

Burak Tuyan aka eLeVeN

Deleted
deleted

4116 Posts
Posted - 06 August 2001 :  18:03:59  Show Profile
I confirm this error. This is caused by the changes in chkString Function in inc_functions.asp file. Compared to v3.2a6, this time it exists the function if its called with the "title" parameter, thus not executing the 


	fString = Replace(fString, "'", "''")


line at the bottom of the function.

A good fix should analyze other parameters (as this is security related I leave it to one of the admins), but a quick fix can be changing (line #403):


	if fField_Type = "title" then
		if strAllowHTML <> "1" then
			fString = HTMLEncode(fString)
		end if
		chkBadWords(fString)
		chkString = fString
		exit function
	end if


To


	if fField_Type = "title" then
		if strAllowHTML <> "1" then
			fString = HTMLEncode(fString)
		end if
		chkBadWords(fString)
		fString = Replace(fString, "'", "''")
		chkString = fString
		exit function
	end if



Think Pink
Go to Top of Page

ecclesia
Starting Member

12 Posts
Posted - 08 August 2001 :  18:54:53  Show Profile
This has been a problem with our v3.3-up that someone has finally found a solution to. We confirm that your fix works and has corrected the problem. Thank you

He is not the God of the dead, but the God of the living: ye therefore do greatly err. - Mark 12:27
Go to Top of Page

Deleted
deleted

4116 Posts
Posted - 10 August 2001 :  06:46:35  Show Profile
although I'm not completely satisfied with the solution... You're welcome .

Think Pink
Go to Top of Page

Deleted
deleted

4116 Posts
Posted - 16 August 2001 :  18:36:17  Show Profile
quote:

A good fix should analyze other parameters (as this is security related I leave it to one of the admins), but a quick fix can be changing (line #403):


Can somebody make a better analysis for the chkString function?

Think Pink
Go to Top of Page

gor
Retired Admin

Netherlands
5511 Posts
Posted - 17 August 2001 :  09:07:40  Show Profile  Visit gor's Homepage
The problem here is that "title" is both used for displaying the title as for preparing the title for an SQL String.

Change line 106 in admin_config_system.asp to:

strSql = strSql & " SET C_VALUE = '" & ChkString(Request.Form(key), "SQLString") & "'"


Fixed in the code for version 3.3.03

Pierre
Join a Snitz Mailinglist
Go to Top of Page
  Previous Topic Topic Next Topic  
 Forum Locked  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.16 seconds. Powered By: Snitz Forums 2000 Version 3.4.07