Unknown column 'id' in 'where clause'

Posted: Sun Apr 13, 2008 8:42 am

Thats the first time I found such an entry in rnlogs:

Quote:

Unknown column 'id' in 'where clause'
SQL was: SELECT user_email, username FROM nuke_users WHERE id='4' AND nickname='mytestuser' AND password='4803766830cc2b4919b2ef0b5f64b44e'
remote addr: xxx

I quess its from your account.I didn´t changed anything there. How do I correct this ?

registered · Posted: Sun Apr 13, 2008 11:27 am

Weird, looks like the real code should be using 'user_id' rather than 'id'
I haven't looked to see where this is generated yet

registered · Posted: Sun Apr 13, 2008 8:58 pm

Susann, if you can narrow down which function is doing this within YA it would be greatly appreciate it.

Posted: Mon Apr 14, 2008 5:35 am

I think its not in your account because I would see this just every time in rnlogs whenever my testuser logged in. Maybe its from the journal or nsn gr downloads don´t know but I still try to find out where it comes from.

Posted: Mon Apr 14, 2008 5:51 am

Ok, Susann, thanks.

Posted: Fri Apr 25, 2008 1:49 pm

I am still not seeing this anywhere in my own logs. Have you found out anything more on this Susann?

Posted: Fri Apr 25, 2008 2:37 pm

No, I´m afraid I´ll not find out where this is from. I´ve checked the code of some nsn gr downloads files but there are just too many files.I´m using also the workboard. Could it be from there ?
I logged in like before with my testuser, downloaded the same download and didn´t get the same messages in rnlogs.

Posted: Fri Apr 25, 2008 3:04 pm

I cannot think of anything off hand that would want to do a query against a users password except perhaps (not checked) Resend or the manual creation of of a user or admin by the admin.

Posted: Sat Apr 26, 2008 2:11 pm

This user is since a long time in my database. Its not possible to check every sql select in all files but I found one error within the journal module and his journal. Maybe that was the reason but I´m not sure because with config errors set to true there aren´t any errors but his journal doesn´t exist. I will just empty the table nuke_journal_stats.

Posted: Sat Apr 26, 2008 2:31 pm

I think I have found the where but not the why.
mainfile.php around line 1688 is this line

Code:




$row = $db->sql_fetchrow($db->sql_query('SELECT user_email, username FROM '.$user_prefix.'_users WHERE id=\''.$cookie[0].'\' AND nickname=\''.$cookie[1].'\' AND password=\''.$cookie[2].'\''));

It is the only thing I can find that matches that SELECT sql.

Posted: Sat Apr 26, 2008 3:52 pm

Yeah, that doesn't make sense does it? That should be 'user_id' instead of 'id'. So, it only rears its ugly head when a subscription expires? Does that sound possible Susann?

We should definitely fix that SQL. Great sleuthing 'G'!!

Posted: Sat Apr 26, 2008 4:02 pm

Now I have had time to actually look at the code, yes you are right 'M' it is in the function paid() which handles subscriptions and I see a few lines above that one that userid is used correctly in the DELETE FROM statement.
I about to hit the sack but if it has not already been done, I'll create a Mantis issue, apply the fix and SVN.

Posted: Sat Apr 26, 2008 4:39 pm

You are a scholar and a gentleman... well, ok, maybe gentlemen, well, um, ok, how about a mighty fine bloke? ROTFL

And, Susann, your keen eye for bugs is amazing! You have allowed us to "squash" another nuke bug. :clap:

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

This team never ceases to amaze or impress me...

Posted: Sun Apr 27, 2008 4:19 am

I only wondered why nobody reported this before. Guardian thanks ! You are the hero of the day! Smile

Posted: Sun Apr 27, 2008 10:04 am

No it is you who are the hero Susann, for your diligence, patience and attention to detail.

Posted: Sun Apr 27, 2008 5:45 pm

Oh, I would call it just good teamwork Wink