inureyes
commented
10 years ago We already encapsulate every query via codeball database adapter (located at /framework/data). Therefore the problem is: when the code first calls DBModel::escapeString.
Closed achimnol closed 10 years ago
inureyes
commented
10 years ago We already encapsulate every query via codeball database adapter (located at /framework/data). Therefore the problem is: when the code first calls DBModel::escapeString.
inureyes
commented
10 years ago First escapeString call is from reading pageCache to load blog settings.
inureyes
commented
10 years ago It could be plugin-specific problem. Can you backtrace your escapeString call? Add var_dump(debug_backtrace()); at the below of if(is_null(self::$escapeTag)) { and share us the first call point. :)
achimnol
commented
10 years ago I extracted FILE:FUNC:LINE only because var_dump()-ing produced too much output...
library/model/blog.response.remote.php:escapeString Line 96
library/model/blog.response.remote.php:getRemoteResponses Line 277
library/view/view.php:getTrackbacks Line 186
interface/common/blog/entries.php:getTrackbacksView Line 77
interface/index.php:require Line 108
rewrite.php:include_once Line 11Can you check the self::$db value when escapeString is called at first? I would like to know whether DB connection is established when mysql_real_escape_string is called. Theoretically, it should be called after DB is connected (self::$db is not null or false)
achimnol
commented
10 years ago In framework/data/MySQL/adaptor.php DBAdaptor::escapeString(), self::$db is 1 and $link from the arguments is null. (Shouldn't these be same?) This leads to invocation of mysql_real_escape_string().
/home/daybreaker/www/blog/library/model/blog.response.remote.php:escapeString Line 96
/home/daybreaker/www/blog/library/model/blog.response.remote.php:getRemoteResponses Line 277
/home/daybreaker/www/blog/library/view/view.php:getTrackbacks Line 186
/home/daybreaker/www/blog/interface/common/blog/entries.php:getTrackbacksView Line 77
/home/daybreaker/www/blog/interface/index.php:require Line 108
/home/daybreaker/www/blog/rewrite.php:include_once Line 11
self:$db = 1
self:$escapeTag =
$link ?null 1
/home/daybreaker/www/blog/library/model/blog.response.remote.php:escapeString Line 133
/home/daybreaker/www/blog/library/model/blog.response.remote.php:getRecentRemoteResponses Line 285
/home/daybreaker/www/blog/interface/common/blog/end.php:getRecentTrackbacks Line 77
/home/daybreaker/www/blog/interface/index.php:require Line 109
/home/daybreaker/www/blog/rewrite.php:include_once Line 11
self:$db = 1
self:$escapeTag = real
$link ?null 1Another similar issue:
Warning: mysql_query(): Access denied for user 'www-data'@'localhost' (using password: NO) in framework/data/MySQL/Adapter.php on line 245
Warning: mysql_query(): A link to the server could not be established in framework/data/MySQL/Adapter.php on line 245When using MySQLi adaptor,
Warning: mysqli::real_escape_string(): Couldn't fetch mysqli in framework/data/MySQLi/Adapter.php on line 265
Warning: mysqli::real_escape_string(): Couldn't fetch mysqli in framework/data/MySQLi/Adapter.php on line 265
Warning: mysqli::real_escape_string(): Couldn't fetch mysqli in framework/data/MySQLi/Adapter.php on line 265
Warning: mysqli::real_escape_string(): Couldn't fetch mysqli in framework/data/MySQLi/Adapter.php on line 265
Warning: mysqli::query(): Couldn't fetch mysqli in framework/data/MySQLi/Adapter.php on line 244
After changing my blog to 1.9 tree, I see the following warning printed at the bottom of my blog main pages.
The reason is that
mysql_real_escape_string()requires explicit database connection BEFORE calling it when$link == null. There are three possible fixes:escape()function (pros: easy to fix, cons: possible security hole unless carefully written)