It’s all in a day’s work

Today I accidentally found a bug in a version of a wordpress stats plugin. I searched for a word with a “‘” in it (foto’s) and as a result I got the following error on some blog:


WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's','nl','Linux','Firefox','Google','','')' at line 1]
INSERT INTO turbostatpress (date, time, ip, urlrequested, agent, referrer, search,nation,os,browser,searchengine,spider,feed) VALUES (’20080222′,’16:41:43′,’MY-IP-HERE’,”,’Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.12) Gecko/20061201 Firefox/2.0.0.12 (Ubuntu-feisty)’, ‘LONG-REFERER’, ‘foto’s’, ‘nl’, ‘Linux’, ‘Firefox’, ‘Google’, ”, ”)


I’m wondering… Will this bug also appear if I change my browser identify string into something with a single quote in it? Seems that this idea has already been tested + fixed in the latest version of StatPress. ‘Unfortunately’ the $_SERVER['HTTP_REFERER'] string is escaped automagicly. Which seems to be done by wordpress itself, since if I try to echo $_SERVER['HTTP_REFERER'] within the StatPress plugin the ‘ in my referrer is escaped with a \, while this is not the case in a normal PHP script. I say unfortunately since the StatPress plugin writer doesn’t escape the referrer himself.

Most striking though was that I just read a post from Tom Kyte about bad practice on SQL. The quote “… apostrophe is often mistaken for a piece of computer code, corrupting the system. …” was nice. So don’t use apostrophes please, they corrupt computer systems

P.s. True this bug is not related to wordpress itself, since it was just a plugin writer who screwed-up…

P.s.2. I think spelling checking software should add HTTP_REFERER to their word lists, since it’s a RFC approved spelling error .

I was told by a colleague that Wordpress was being discussed on the privacy subject. Now I don’t want to go into that discussion, but I encountered a post by Ryan Finnie about $_SERVER variables being send to the Akismet server.

If you plan to use HTTP authentication and use Akismet it’s a wise idea to patch your Akismet with the patch provided Ryan Finnie. This because otherwise your login data is send to the Akismet server every time it checks the comment post. True, having both Akismet and HTTP authentication is a bit strange, but I think it’s better to remove such data then to have it transferred to Akismet.

I hope Matt will accept this bug as being valid.

I also found some other items about the need to send $_SERVER in total. Certinately the enhanced akismet plugin sounds like a good alternative.

So. I was writing a post about some one-liner I wrote to move a lot (but not all) directories in a svn repository to another directory. Because the one-liner was getting lengthy I added slashes to it so it was better readable. But on saving I lost my slashes?!

This seems to be caused by a 2 year old bug in wordpress. I hope that with the fix I posted this bug will be resolved soon. For now I’ll just patch my version of Wordpress.