123
-=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- (c) WidthPadding Industries 1987 0|543|0 -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=-
Socoder -> Off Topic -> Site Bugs... " + &

Thu, 12 Jul 2007, 06:59
Jayenkai
", & and others in the titles of different areas in the site....

They do tend to mess up a little bit.
I've been going through the site's script, and I'm pretty sure I know what's causing it. Whenever you post, they're switched so that (hopefully) you can't hack your way into the SQL.. But when they're returned they aren't being switched back.
I could fix that pretty easily by adding a bunch of Replace commands here and there, but...
Well, the left and right bars have LOADS of those links, and to replace all of those, every single time the page is refreshed, or even Ajaxed..
That's a whole big lot of replaces!

I'm still not 100% sure on what's do-able, CPU wise, in PHP.. But I'm pretty sure that'd put us over the edge!
For now, you'll have to avoid using "s and &s and things inside your topic titles. If I spot any I can tweak them into other things using Super-Admin-Power.. And, try to use 's and +s wherever possible.

Sorry for all that, but it's better to be safe!

If you find any other bugs, let me know.

-=-=-
''Load, Next List!''
Thu, 12 Jul 2007, 07:48
svrman
Are you storing the titles using htmlentities()?
Thu, 12 Jul 2007, 07:57
Jayenkai
No, they're being changed with an array, not htmlentities(), due to... I think it was Oscar's server, which had a weird issue with it.

I could probably change that back, but... It works as it is.. Kinda

Like I said, I'd prefer the script be as safe as I can get it, so I'm waiting for Stealth to stress-test a small section, and we'll see if I can quick-tweak this bug away.

-=-=-
''Load, Next List!''
Thu, 12 Jul 2007, 22:49
Stealth
The only thing you need to do to prevent SQL injection (I think) is to add backslashes to " and '. I don't think & and # pose a threat.

-=-=-
Quit posting and try Google.