Today I accidentally found a bug in a version of a wordpress stats plugin. I searched for a word with a “‘” in it (foto’s) and as a result I got the following error on some blog:
WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's','nl','Linux','Firefox','Google','','')' at line 1]
INSERT INTO turbostatpress (date, time, ip, urlrequested, agent, referrer, search,nation,os,browser,searchengine,spider,feed) VALUES ('20080222','16:41:43','MY-IP-HERE','','Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:220.127.116.11) Gecko/20061201 Firefox/18.104.22.168 (Ubuntu-feisty)', 'LONG-REFERER', 'foto's', 'nl', 'Linux', 'Firefox', 'Google', '', '')
I’m wondering… Will this bug also appear if I change my browser identify string into something with a single quote in it? Seems that this idea has already been tested + fixed in the latest version of StatPress. ‘Unfortunately’ the $_SERVER['HTTP_REFERER'] string is escaped automagicly. Which seems to be done by wordpress itself, since if I try to echo $_SERVER['HTTP_REFERER'] within the StatPress plugin the ‘ in my referrer is escaped with a \, while this is not the case in a normal PHP script. I say unfortunately since the StatPress plugin writer doesn’t escape the referrer himself.
Most striking though was that I just read a post from Tom Kyte about bad practice on SQL. The quote “… apostrophe is often mistaken for a piece of computer code, corrupting the system. …” was nice. So don’t use apostrophes please, they corrupt computer systems
P.s. True this bug is not related to wordpress itself, since it was just a plugin writer who screwed-up…
P.s.2. I think spelling checking software should add HTTP_REFERER to their word lists, since it’s a RFC approved spelling error .