Ticket #5471 (closed defect: fixed)

Opened 9 months ago

Last modified 7 months ago

?feed=rss2&p=-1 results in db error, showing sql query (table prefixes)

Reported by: lloydbudd Assigned to: anonymous
Priority: normal Milestone: 2.5
Component: General Version: 2.5
Severity: normal Keywords:
Cc:

Description

?feed=rss2&p=-1 results in db error, showing sql query (table prefixes)

ENV: WordPress trunk r6385
* WP 2.0.9 bug doesn't repro

ACTUAL RESULT: 

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 10' at line 1]
SELECT wp_comments.* FROM wp_comments WHERE comment_post_ID = AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 10

Change History

12/16/07 08:25:21 changed by DD32

See also: #5185 "If you append /feed to an invalid post url (the post itself returns a 404), you get a SQL error on top:"

12/17/07 15:18:55 changed by docwhat

Originally reported here: http://blogsecurity.net/news/news-110707/

Note: wordpress.com seems immune to this problem, for some reason.

I'd consider this a class error. Why are any DB errors shown to anyone but Admin or if DEBUG is turned on?

Workaround (a plugin): http://blogsecurity.net/wordpress/wpdberrors-plugin-removing-wordpress-db-errors/

Ciao!

12/17/07 17:12:11 changed by lloydbudd

  • component changed from Security to General.

In the context of the work in #5473 this is no longer a security issue.

02/07/08 18:21:32 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

I think this is fixed by [6683]