When using the search plugin for easyblog, placing an apostrophe in the search term such as in a search for "bob's apples" throws an sql error, upon investigating it appears this is due to the value not being escaped leaving the plugin vulnerable to SQL injection attacks.

error in sql after using apostrophe (') in search using easyblog plugin

By Gravity Stack on Tuesday, 04 March 2014

Posted in General

Replies 4

Likes 0

Views 1.2K

Votes 0

When using the search plugin for easyblog, placing an apostrophe in the search term such as in a search for "bob's apples" throws an sql error, upon investigating it appears this is due to the value not being escaped leaving the plugin vulnerable to SQL injection attacks.

Hello Scott,

I am unable to access your site's backend, please advice? Also please provide your FTP so we could debug the issue on your site quickly.

Thanks:)

Khairul

Tuesday, 04 March 2014 01:16

0 Likes

0 Votes

0 Comments

#128222

Hey there,

Added FTP information and updated site informaton

Gravity Stack

Tuesday, 04 March 2014 22:49

0 Likes

0 Votes

0 Comments

#128425

Hey I was just wondering if there has been any progress with this?

Gravity Stack

Friday, 07 March 2014 23:58

0 Likes

0 Votes

0 Comments

#129323

Hello Scott,

I'm really sorry that delayed of this reply,
I have applied some fixes in your site,
JoomlaFolder\plugins\search\easyblog\easyblog.php
LINE 137 until 155



			case 'exact':

				$where[]	= 'a.`title` LIKE ' . $db->Quote( '%'.$text.'%', false );

				$where[]	= 'a.`content` LIKE ' . $db->Quote( '%'.$text.'%', false );

				$where[]	= 'a.`intro` LIKE ' . $db->Quote( '%'.$text.'%', false );

				

				$where2		= '( t.title LIKE ' . $db->Quote( '%'.$text.'%', false ) . ')';

				$where 		= '(' . implode( ') OR (', $where ) . ')';

				break;

			case 'all':

			case 'any':

			default:

				$words		= explode( ' ', $text );

				$wheres		= array();

				$where2		= array();

				$wheres2	= array();

				

				foreach ($words as $word)

				{

					$word		= $db->Quote( '%'.$word.'%', false );

Replace with



case 'exact':

				$where[]	= 'a.`title` LIKE ' . $db->Quote( '%'. $db->escape($text, true) .'%', false );

				$where[]	= 'a.`content` LIKE ' . $db->Quote( '%'. $db->escape($text, true) .'%', false );

				$where[]	= 'a.`intro` LIKE ' . $db->Quote( '%'. $db->escape($text, true) .'%', false );

				

				$where2		= '( t.title LIKE ' . $db->Quote( '%'. $db->escape($text, true) .'%', false ) . ')';

				$where 		= '(' . implode( ') OR (', $where ) . ')';

				break;

			case 'all':

			case 'any':

			default:

				$words		= explode( ' ', $text );

				$wheres		= array();

				$where2		= array();

				$wheres2	= array();

				

				foreach ($words as $word)

				{

					$word		= $db->Quote( '%'. $db->escape($word, true) .'%', false );

Thanks for reporting on this, we will including this fixes in next release version.

Arlex Wong

Tuesday, 11 March 2014 15:02

0 Likes

0 Votes

0 Comments

#129807