Custom maps page error

Started by Karsten75, March 21, 2010, 04:21:29 PM

Previous topic - Next topic

Karsten75

Click on this link.

It should take you to the download page for Rushed, a map by Cap'n Trey.

On that page, click on the link of the map author.

You will get a screen with no maps.

Use the drop-down to select the map author and select Cap'n Trey from the list of authors.  A screen with 6 maps will show.

UpperKEES

#1
It's caused by the quote in the author name. The same happens for .Alb'

The SQL parser has a problem with this.
My CW1 maps: downloads - overview
My CW2 maps: downloads - overview

Karsten75

I know, but if we don't report it, &V cant fix it...

knucracker

Should be all fixed up now....

Karsten75

Quote from: UpperKEES on March 21, 2010, 04:28:23 PM
It's caused by the quote in the author name. The same happens for .Alb'

The SQL parser has a problem with this.

Actually, FWIW, this is a manifestation of the "SQL injection problem."  If a map author had uploaded a map and had chosen a malicious name, they could have gotten access to the tables, deleted the tables or any other kind of naughtiness.

http://xkcd.com/327/

knucracker

In this instance, it was a simple problem with me not stripping slashes on the query args.  I make sure to sanitized any inputs before they get built into query strings.  In this case, there was just an extra slash before the single quote in some author names.