SQL keywords cause errors

  • robertbdc

    (@robertbdc)


    16 years, 5 months ago

    I’ve found a couple of times now that if my Post includes the wrong word, then trying to Save or Preview the post generates a 404 error. I was able to go through, paragraph by paragraph, and find the specific word that was causing problems.

    The first time, the word was “update”. When I changed it to “updat e”, it worked. Also, the word “updated” caused the posting to fail as well. It’s clearly the string “update” that caused the problem. I reworded the paragraph to use the word “revise” instead.

    But it happened again. This time, the offending word was “from”. Not the first time the word occurred… but the *fourth* time. I got around it this time by replacing “from” with “fr0m” (with a zero). This has the additional advantage of preserving the condition for analysis! I tried an update today, and the same problem occurred.

    My biggest concern is that “update” and “from” are SQL commands. I’m worried that WordPress is parsing user-entered text as SQL — which would open up the system to SQL injection attacks.

    Specfics of my WP installation:
    * Behind the scenes, I’m running on a subdirectory, using .htaccess to redirect. It took a little bit of poking to make it work, but other than this it’s fine. I can post my .htaccess file(s) if needed.

    * My only plugin is the official reCAPTCHA plugin.

    * I upgraded to WP 2.9, and didn’t have this problem until after the upgrade. The blog is just a month old, though, so that’s not proof that the upgrade “broke” anything.

    I don’t know the link policy of this board, so I’ll spell out the link to my site to view the example. It’s “Tequila Karaoke” dot com, and the post with “fr0m” is the one titled “The Goat: Expectations Exceeded”.

Viewing 12 replies - 1 through 12 (of 12 total)
  • Mark / t31os

    (@t31os_)

    16 years, 5 months ago

    Have you tried making a post consisting of just MYSQL words..

    Title: test post
Content:
UPDATE FROM INSERT
update from insert
select SELECT

    If there’s a real problem with those words, it should fail when saving shouldn’t it?..

    The problem described doesn’t sound consistent (non-consistent bugs being the most annoying), so i’d suggest trying to narrow it down with some further test posts…

    Have you attempted to replicate the problem on another install, say a local copy, using WAMP, or whatever..

    Thread Starter robertbdc

    (@robertbdc)

    16 years, 5 months ago

    The post you suggested didn’t fail, so I took the original 1000+ word post and started hacking it down to a bare minimum. I’ve gotten here so far:

    from converter with from from ( from

    Saving “test post” with that content fails with a 404, whether doing a Preview, Post, or Save Draft.

    Removing anything from the line causes it to save successfully. I was working on methodically listing each possible thing to remove… but now my server is not responding. That might not be related to the WordPress problem (it’s probably just the proxy here at work), but I think I’d better quit poking it with a stick for a while.

    Mark / t31os

    (@t31os_)

    16 years, 5 months ago

    I’ll go test that in a new post..

    Be back in a min.. πŸ™‚

    Mark / t31os

    (@t31os_)

    16 years, 5 months ago

    lol, that was quick, worked instantly on the lastest build WP 3.0, i’ll go test on my live site, 1 min…

    EDIT—–
    Works under 2.8.6 …

    Going to upgrade the live site to 2.9 (it’s not active, maintainence mode), and test again..

    Be back shortly with update..

    EDIT again:
    Also works under 2.9 …

    Wish i could replicate the problem, but seems to be fine for me posting under 2.8.6, 2.9 and 3.0 ..

    Thread Starter robertbdc

    (@robertbdc)

    16 years, 5 months ago

    Well, that’s good news, at least. It doesn’t help me much, of course, but it means the rest of the world isn’t broken!

    I tried the “Reinstall” option under Tools, but it didn’t help. (Related note: WordPress was initially installed using my host’s Fantastico utility, then upgraded to 2.9.)

    I guess all I can do is practice my leet-speak and hope the problem just goes away.

    Mark / t31os

    (@t31os_)

    16 years, 5 months ago

    Do you run a local installation for testing?..

    Either way, it may be worth installing a fresh copy of WordPress on a test installation then importing a copy of your problem site…

    If the problem doesn’t carry over then it narrows down what it could be..

    Could be a problem file or two, have you considered reuploading the wp-admin , and wp-includes folders from a fresh copy.

    Chris_K

    (@handysolo)

    16 years, 5 months ago

    I wonder if RobertBdc’s host is running mod_security?

    Thread Starter robertbdc

    (@robertbdc)

    16 years, 5 months ago

    I asked, and the reply is “Yes, we are running mod_security”. Does that help anything?

    I don’t have a local installation for testing, at least not yet. I’m planning to add another WordPress installation, though, so I’ll try this test on that one. If it works there, then the problem is clearly related to this particular installation. Thanks!

    Chris_K

    (@handysolo)

    16 years, 5 months ago

    Well, one theory is that mod_security is detecting those SQL keywords and shutting down the form “posts.”.

    I don’t have the commands handy here, but if you search these forums (or the internet in general) for “mod_security .htaccess” I think you can turn up a way to turn off mod_security for your wp-admin directory (I remember this issue a lot from a year or two ago with some hosts).

    Thread Starter robertbdc

    (@robertbdc)

    16 years, 4 months ago

    Ooops… that didn’t do it, because either “SecFilterScanPOST Off” or “SecFilterEngine Off” in my .htaccess causes a 500 Internal Server Error. There are any number of reasons that could happen, I’m sure… .htaccess is powerful, but picky.

    FWIW, the magic string above still fails in WP 2.9.1.

    mrmist

    (@mrmist)

    16 years, 4 months ago

    Before I even clicked into this thread I was expecting to see a mod security issue, which sounds exactly like what this is.

    Can you get it disabled for your hosting? There is no WordPress related way to “fix” this issue. It’d either be .htaccess or apache config level.

    jsaligoe

    (@jsaligoe)

    15 years, 8 months ago

    404 Error after edit -> Update Post

    I was having this problem as well. Very frustrating. tested with plugins on and off; different templates; etc. no luck.

    then >>>
    @novada on 404 Error after edit -> Update Post thread gave me my first solid hint when mentioning that the words “from” and “select” triggered the 404 error.

    Just earlier today I went through a troubled post word by word as it seemed it was the content that was causing my problems. I was certain it was not code as I worked with plain text. I found that after I inserted a sentence containing the word “from” I was no longer able to update or publish – instead getting a 404 error. Indeed, I could create a new post with the content only the word “from”, and another with the content only the word “select”, but alas I could not create one with the content using both words!

    The solution: It was indeed a mod security issue – I called my host and they changed the setting for my sites and … fixed.

    My 2-week adventure trying to track the source of the problem was fixed in a matter of seconds. I hope this helps anyone else experiencing this error as well.

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘SQL keywords cause errors’ is closed to new replies.