Custom maps page error

Karsten75 · 1709

Karsten75

  • Hero Member
  • *****
    • Posts: 6912
on: March 21, 2010, 04:21:29 pm
Click on this link.

It should take you to the download page for Rushed, a map by Cap'n Trey.

On that page, click on the link of the map author.

You will get a screen with no maps.

Use the drop-down to select the map author and select Cap'n Trey from the list of authors.  A screen with 6 maps will show.

'If you want to live a happy life, tie it to a goal, not to people or things.'

Albert Einstein
(1879-1955)


UpperKEES

  • Hero Member
  • *****
    • Posts: 5525
  • The Creeper is getting deeper.... into me.
Reply #1 on: March 21, 2010, 04:28:23 pm
It's caused by the quote in the author name. The same happens for .Alb'

The SQL parser has a problem with this.
« Last Edit: March 21, 2010, 04:30:07 pm by UpperKEES »

My CW1 maps: downloads - overview
My CW2 maps: downloads - overview


Karsten75

  • Hero Member
  • *****
    • Posts: 6912
Reply #2 on: March 21, 2010, 04:31:32 pm
I know, but if we don't report it, &V cant fix it...

'If you want to live a happy life, tie it to a goal, not to people or things.'

Albert Einstein
(1879-1955)


knucracker

  • Administrator
  • *****
    • Posts: 11767
Reply #3 on: March 22, 2010, 08:26:51 pm
Should be all fixed up now....



Karsten75

  • Hero Member
  • *****
    • Posts: 6912
Reply #4 on: March 22, 2010, 10:11:50 pm
It's caused by the quote in the author name. The same happens for .Alb'

The SQL parser has a problem with this.

Actually, FWIW, this is a manifestation of the "SQL injection problem."  If a map author had uploaded a map and had chosen a malicious name, they could have gotten access to the tables, deleted the tables or any other kind of naughtiness.

http://xkcd.com/327/

'If you want to live a happy life, tie it to a goal, not to people or things.'

Albert Einstein
(1879-1955)


knucracker

  • Administrator
  • *****
    • Posts: 11767
Reply #5 on: March 22, 2010, 10:52:14 pm
In this instance, it was a simple problem with me not stripping slashes on the query args.  I make sure to sanitized any inputs before they get built into query strings.  In this case, there was just an extra slash before the single quote in some author names.