Escaping issue in TeraWurflDatabase_MySQL5.php

The API formerly known as Tera-WURFL
Athanor
Posts: 2
Joined: Mon Nov 26, 2012 2:08 am

Escaping issue in TeraWurflDatabase_MySQL5.php

Postby Athanor » Mon Nov 26, 2012 2:25 am

Hello there,

I occasionally see that kind of error in my Apache logs:
PHP Fatal error: Uncaught exception 'Exception' with message 'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.820' at line 1' in [...]/DatabaseConnectors/TeraWurflDatabase_MySQL5.php:412
Stack trace:
#0 [...]/TeraWurfl.php(210): TeraWurflDatabase_MySQL5->getDeviceFromCache('6.47.820')
#1 [...]/TeraWurfl.php(181): TeraWurfl->getDeviceCapabilitiesFromRequest(Array)
#2...
Here is the incriminated line:
$res = $this->dbcon->query("SELECT * FROM `$tablename` WHERE `user_agent`=".$this->SQLPrep($userAgent));
Which brought me to function SQLPrep() and how it adds proper quotes after testing if argument is not a numeric using TeraWurflDatabase::isNumericSafe()
public static function isNumericSafe($value) {
return (bool)preg_match('/^-?[\d]+([\.\d]+)?$/', $value);
}
It's quite obvious here, current regex will consider a string with several dots '.' as a numeric.

Suggested regex (barely tested): '/^-?[\d]+(\.[\d]+)?$/'

Regards,

kamermans
Posts: 393
Joined: Mon Jun 06, 2011 9:50 am

Re: Escaping issue in TeraWurflDatabase_MySQL5.php

Postby kamermans » Mon Nov 26, 2012 12:26 pm

Thanks for the info, we will fix the function and include it in a minor release update in the coming days.

EDIT: I think this fix should work:

Code: Select all

public static function isNumericSafe($value) {
	return (bool)preg_match('/^-?\d+(\.\d+)?$/', $value);
}
Thanks,

Steve Kamerman
ScientiaMobile

Make sure you check out our WURFL Cloud, WURFL InSight and WURFL InFuze products!


Who is online

Users browsing this forum: No registered users and 1 guest