Snitz Forums 2000 - Bug: POST.ASP

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Snitz Forums 2000 DEV-Group

DEV Discussions (General)

Bug: POST.ASP

New Topic

Topic Locked

Printer Friendly

Author

Topic

Page: of 2

red1
Junior Member

355 Posts

Posted - 17 February 2003 : 09:10:34

If I can get the forum to produce this error by manipulating the querystring, would that be considered a bug?

Syntax error (missing operator) in query expression ...(column names)

I posted here instead of in bug reports because I'm not sure if it's a bug or not.

My Mods:
New Events Calendar
New Non-database Active Users

Edited by - red1 on 17 February 2003 12:48:54

Nikkol
Forum Moderator

USA
6907 Posts

Posted - 17 February 2003 : 09:14:45

what do you mean by manipulating the querystring? if you are changing the code, then it is NOT a bug (at least not a bug with the snitz code)

Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~

red1
Junior Member

355 Posts

Posted - 17 February 2003 : 09:22:51

no changes to the code, just changing some parameters in the querystring.

My Mods:
New Events Calendar
New Non-database Active Users

Nikkol
Forum Moderator

USA
6907 Posts

Posted - 17 February 2003 : 09:40:42

how are you changing the parameters?

Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~

Deleted
deleted

4116 Posts

Posted - 17 February 2003 : 11:15:41

For example, if you change the parameter to (say) ...?forum_id=nono it will throw an error. But this is good !

Stop the WAR!

red1
Junior Member

355 Posts

Posted - 17 February 2003 : 12:20:26

But bozden it's revealing the column names. Isn't that bad? Anyway, here it is: if you try to post a message and the forum_ID is blank you get an error. Here try it:
[link deleted]

My Mods:
New Events Calendar
New Non-database Active Users

Edited by - red1 on 17 February 2003 12:47:54

Nikkol
Forum Moderator

USA
6907 Posts

Posted - 17 February 2003 : 12:25:07

why would the forum id be blank? to post a new topic in a forum you have to click on the icon and that will build the correct querystring.

and it's not revealing column names; it's just a querystring. it could be post.asp?method=Topic&forum_identification_number=1, for instance, and as long as the code is correct, the database can still be queried.

besides, why are you worried about revealing column names when it's open source?

Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~

red1
Junior Member

355 Posts

Posted - 17 February 2003 : 12:36:55

Nikkol the column names are revealed in the error (if using an Access DB):


Microsoft JET Database Engine error '80040e14' 

Syntax error (missing operator) in query expression 'C.CAT_ID = F.CAT_ID AND F.FORUM_ID ='. 

/forum/post.asp, line 172

It's just that every other error in snitz is caught before it can cause the page to crash, so I thought this one should be fixed as well.

My Mods:
New Events Calendar
New Non-database Active Users

Nikkol
Forum Moderator

USA
6907 Posts

Posted - 17 February 2003 : 12:41:26

i see what you are saying now. it is good to have error catching. but still, doing it for the sake of not revealing column names is not the point since it is open source. rather, it should be done to make the forum as error-free as possible.

Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~

Roland
Advanced Member

Netherlands
9335 Posts

Posted - 17 February 2003 : 12:42:14

I've fixed it by taking post.asp and adding some codes (shown in red) to lines 55 to 82:

if Request.QueryString("TOPIC_ID") <> "" then
	if IsNumeric(Request.QueryString("TOPIC_ID")) = True then
		strRqTopicID = cLng(Request.QueryString("TOPIC_ID"))
	else
		Response.Redirect("default.asp")
	end if
elseif Request.QueryString("TOPIC_ID") = "" AND (strRqMethod <> "Topic" And strRqMethod <> "Forum" And strRqMethod <> "Category") then
	Response.Redirect("default.asp")
end if
if Request.QueryString("FORUM_ID") <> "" then
	if IsNumeric(Request.QueryString("FORUM_ID")) = True then
		strRqForumID = cLng(Request.QueryString("FORUM_ID"))
	else
		Response.Redirect("default.asp")
	end if
elseif Request.QueryString("FORUM_ID") = "" AND (strRqMethod <> "Forum" And strRqMethod <> "Category") then
	Response.Redirect("default.asp")
end if
if Request.QueryString("CAT_ID") <> "" then
	if IsNumeric(Request.QueryString("CAT_ID")) = True then
		strRqCatID = cLng(Request.QueryString("CAT_ID"))
	else
		Response.Redirect("default.asp")
	end if
end if
if Request.QueryString("REPLY_ID") <> "" then
	if IsNumeric(Request.QueryString("REPLY_ID")) = True then
		strRqReplyID = cLng(Request.QueryString("REPLY_ID"))
	else
		Response.Redirect("default.asp")
	end if
elseif Request.QueryString("REPLY_ID") = "" AND (strRqMethod <> "Reply" And strRqMethod <> "Topic" And strRqMethod <> "Forum" And strRqMethod <> "Category") then
	Response.Redirect("default.asp")
end if

Sorry this stretched the topic, but I couldn't get the font size smaller.

Roland
Advanced Member

Netherlands
9335 Posts

Posted - 17 February 2003 : 12:43:53

quote:
Originally posted by red1

Nikkol the column names are revealed in the error (if using an Access DB):
Microsoft JET Database Engine error '80040e14' Syntax error (missing operator) in query expression 'C.CAT_ID = F.CAT_ID AND F.FORUM_ID ='. /forum/post.asp, line 172

I don't get that... All I get is this:
error '80040e14'
/forum/post.asp, line 168

The codes posted in my previous reply seem to fix the problem though.

It's just that every other error in snitz is caught before it can cause the page to crash, so I thought this one should be fixed as well.

Edited by - Roland on 17 February 2003 12:50:00

red1
Junior Member

355 Posts

Posted - 17 February 2003 : 12:47:25

That error was from my forum. Over here they've turned off sending error messages to the client

My Mods:
New Events Calendar
New Non-database Active Users

Deleted
deleted

4116 Posts

Posted - 17 February 2003 : 12:49:40

Interesting. This code:
quote:

if Request.QueryString("FORUM_ID") <> "" then
if IsNumeric(Request.QueryString("FORUM_ID")) = True then
strRqForumID = cLng(Request.QueryString("FORUM_ID"))
else
Response.Redirect("default.asp")
end if
end if

should prevent that...

Duty (my daughter) called, so to olate to look into this.

Stop the WAR!

Edited by - Deleted on 17 February 2003 13:02:44

Nikkol
Forum Moderator

USA
6907 Posts

Posted - 17 February 2003 : 12:51:05

no bozden it doesn't ...

if forum_id is NOT empty then
do some stuff
end if

there is not else for if it IS empty

Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~

Roland
Advanced Member

Netherlands
9335 Posts

Posted - 17 February 2003 : 12:54:40

exactly. I had to re-read the code, but that's what I was going to post too

Using else won't work though because the FORUM_ID isn't used in all cases (when a forum or category are created). Using Elseif will work, as in my codes, which can probably be improved/shortened.

red1
Junior Member

355 Posts

Posted - 17 February 2003 : 13:27:01

quote:

Duty (my daughter) called, so to olate to look into this.

You named your daughter Duty?

Edited by - red1 on 17 February 2003 13:27:28

Page: of 2

Topic

New Topic

Topic Locked

Printer Friendly

Jump To:

Snitz Forums 2000

This page was generated in 0.27 seconds.