Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

bugs in review intaface admin side


Recommended Posts

I get the same

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'test')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('2', '1', 'test'test')

Steve

Link to comment
Share on other sites

1 hour ago, kgtee said:

This has to do with the PHP MagicQuote setting when you are running PHP 5.4 and below. 

More info:

https://www.php.net/manual/en/security.magicquotes.php

I'm running 7.2

Server Information pixel_trans.gif
       
Server OS: Linux 3.10.0-957.27.2.el7.x86_64      Database: MySQL 5.5.60-MariaDB
Server Date: 2019-08-10 13:47:49 +1000 AEST      Database Date: 2019-08-10 13:47:49
   
 
HTTP Server: Apache/2.4.6
PHP Version: 7.2.10 (Zend: 3.2.0)
Link to comment
Share on other sites

Ok, I fixed the error, maybe the line needs a review?

Line 55 of /admin/reviews.php

from

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

 

tep_db_input() seems to fix error.

Steve

 

Link to comment
Share on other sites

2 hours ago, stefan1959 said:

Ok, I fixed the error, maybe the line needs a review?

Line 55 of /admin/reviews.php

from

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

 

tep_db_input() seems to fix error.

Steve

 

i'll try it. i'm not so expert of oscommerce code but i believe is only two solutions or use "prepare"  but  i never used it with mysqli  only in PDO , or  we must cleaning the string by dangers types usually i use addslash or htmlspecialchars;

In this way if danger also for SQL injection   .

Enrico

Link to comment
Share on other sites

Only one solution, sorry that should have a read

from
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");
to
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

The code is safe from injection as far as what i seen, they created  functions to do that in /includes/functions/database.php

I'm no expert either so maybe i can be corrected :)

Steve

Link to comment
Share on other sites

26 minutes ago, stefan1959 said:

Only one solution, sorry that should have a read

from
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");
to
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

The code is safe from injection as far as what i seen, they created  functions to do that in /includes/functions/database.php

I'm no expert either so maybe i can be corrected :)

Steve

Yes, thank you seem work properly

Enrico

Link to comment
Share on other sites

I get a error  a add that text with

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...')

Too much for me to work out why. Is there a way for me to view what being put into $review

Steve

Link to comment
Share on other sites

23 minutes ago, stefan1959 said:

Is there a way for me to view what being put into $review

I belive $review is simply an array of the review text from you database. So if you check you db it should show you what text is in each review.

 

Link to comment
Share on other sites

26 minutes ago, stefan1959 said:

I get a error  a add that text with

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...')

Too much for me to work out why. Is there a way for me to view what being put into $review

Steve

Is this error coming from the file on the shop side?

Link to comment
Share on other sites

6 hours ago, stefan1959 said:

I get a error  a add that text with

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...')

Too much for me to work out why. Is there a way for me to view what being put into $review

Steve

What this is saying is ... you are inserting data into the table reviews_description. The data to be inserted is surrounded by single quotes. Unfortunately, the code thinks that the apostrophe in the word it's is the end of the data, and doesn't know what to do with the remaining 's the best ...'

Now, how to solve this ... I don't know.

M

Link to comment
Share on other sites

8 hours ago, stefan1959 said:

Only one solution, sorry that should have a read

from
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");
to
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

The code is safe from injection as far as what i seen, they created  functions to do that in /includes/functions/database.php

I'm no expert either so maybe i can be corrected :)

Steve

this solution should do it

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...