Category Archives: SQL Injection

WordPress … I really need to change my blogging software

Today I accidentally found a bug in a version of a wordpress stats plugin. I searched for a word with a “‘” in it (foto’s) and as a result I got the following error on some blog:


WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's','nl','Linux','Firefox','Google','','')' at line 1]
INSERT INTO turbostatpress (date, time, ip, urlrequested, agent, referrer, search,nation,os,browser,searchengine,spider,feed) VALUES ('20080222','16:41:43','MY-IP-HERE','','Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.12) Gecko/20061201 Firefox/2.0.0.12 (Ubuntu-feisty)', 'LONG-REFERER', 'foto's', 'nl', 'Linux', 'Firefox', 'Google', '', '')

I’m wondering… Will this bug also appear if I change my browser identify string into something with a single quote in it? Seems that this idea has already been tested + fixed in the latest version of StatPress. ‘Unfortunately’ the $_SERVER['HTTP_REFERER'] string is escaped automagicly. Which seems to be done by wordpress itself, since if I try to echo $_SERVER['HTTP_REFERER'] within the StatPress plugin the ‘ in my referrer is escaped with a \, while this is not the case in a normal PHP script. I say unfortunately since the StatPress plugin writer doesn’t escape the referrer himself.

Most striking though was that I just read a post from Tom Kyte about bad practice on SQL. The quote “… apostrophe is often mistaken for a piece of computer code, corrupting the system. …” was nice. So don’t use apostrophes please, they corrupt computer systems ;-)

P.s. True this bug is not related to wordpress itself, since it was just a plugin writer who screwed-up…

P.s.2. I think spelling checking software should add HTTP_REFERER to their word lists, since it’s a RFC approved spelling error ;) .