Dragonfly CMS v9 ⇒ CPG-BB (forum) ⇒ [fixed] Database errors on view topic ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum Index Modules & Blocks CPG-BB (forum)

[fixed] Database errors on view topic Reply to topic


For a while I've been getting errors like this :-

On /index.php?name=Forums&file=viewtopic&start_rel=http:&finish_rel=cufbw&t=31&printertopic=1 While executing query "SELECT u.username, u.user_id, u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, u.user_avatar_type, u.user_allowavatar, u.user_allowsmile, u.bio, u.user_timezone, u.user_occ, u.user_interests, u.user_session_time, u.user_allow_viewonline, u.user_level, p.*, pt.post_text, pt.post_subject FROM df_bbposts p, df_users u, df_bbposts_text pt WHERE p.topic_id = 31 AND pt.post_id = p.post_id AND u.user_id = p.poster_id ORDER BY p.post_time ASC LIMIT -1, 1" the following error occured: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 1' at line 7 In: /data/WWW1/htdocs/urban-zone/htdocs/modules/Forums/viewtopic.php on line: 319 Guest information: User id: 1 Username: Anonymous Admin: No IP: 123.125.71.91 Host: baiduspider-123-125-71-91.crawl.baidu.com

Pretty much always from bots by the looks of it, but it was happening in v9.2 and still happens in v9.3.

The error is caused by line 63 in modules/Forums/viewtopic.php

$start = ( isset($_GET['start_rel']) && isset($_GET['printertopic']) ) ? intval($_GET['start_rel']) - 1 : $start;

If start_rel and printertopic are both set in the URL (and start_rel is not a number) you end up with the $start variable being set to -1 and the SQL statement thereby including LIMIT -1.

To fix this I inserted this line after line 63 :-

$start = (intval($start)>0) ? intval($start) : 0;

You don't appear to be accepting bug reports for v9.x anymore, but this affects the current v9.3

Gaming League / Cup - www.leaguecms.co.uk :: Other DragonFly modules - www.cmsdreams.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Try with just replacing line 63 with
$start = isset($_GET['start_rel'], $_GET['printertopic']) && intval($_GET['start_rel']) ? intval($_GET['start_rel']) - 1 : $start;

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


I think this would be better :-

$start = isset($_GET['start_rel'],$_GET['printertopic']) && intval($_GET['start_rel'])>0 ? intval($_GET['start_rel']) - 1 : $start;

Otherwise you could pass a negative value for "&start_rel" and get a DB error.

Gaming League / Cup - www.leaguecms.co.uk :: Other DragonFly modules - www.cmsdreams.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Amazing that it's never been reported, given that it's been there from the beginning, probably in phpBB opriginally.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
linux / apache 2.2.22 / mysqli 5.6.34 / 7.1.22 / 10.0.48.9418+


var_dump(true && true && intval('string'));

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


I have df.org sql errors mailed to me and I can say it never happened to us, weird, no such behaviour has been seen here.

Those are not real bots, it's users toolbars or installable deamons crawling the web for the Chinese company.
Hostnames are also fake as all Baidu bots IP's fails hostname verification such as a inverse dns query (iquery, obsolete as per rfc), forward dns query, or briefly ip -> hostname -> ip.

Does respect robot.txt, but logs are infested by this user-agent.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


Off topic.

Well, put an hold to the verification process as last cvs does not verify the bot hostname by choice. Running some tests now.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


Unfortunately I've deleted previous emails and obviously not had any since I applied the fix, but I don't think it was the same bot every time, I just never bothered reporting it before because it was always bots.

Would it help if I undo the fix so some more errors are generated, so I can let you know bot / IP details?

Gaming League / Cup - www.leaguecms.co.uk :: Other DragonFly modules - www.cmsdreams.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Nha, its all good thanks.

As a side note still months later my first tests, .crawl.baidu.coms fails reverse fwd queries.

<?php header('Content-Type: text/plain'); var_dump(true && true && intval(0)); var_dump(true && true && intval('0')); var_dump(true && true && intval('string'));

As all of those returns false, you can safely skip >0

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


Yes, but

var_dump(true && true && intval(-1)); var_dump(true && true && intval('-1'));

both return true, and both would give you a DB error, so you do really need to test for >0, IMHO.

Gaming League / Cup - www.leaguecms.co.uk :: Other DragonFly modules - www.cmsdreams.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


I undid the fix for today and sure enough I've had a few emails, some from

IP: 180.76.5.136 Host: baiduspider-180-76-5-136.crawl.baidu.com

And others from

IP: 66.249.66.225 Host: crawl-66-249-66-225.googlebot.com

Gaming League / Cup - www.leaguecms.co.uk :: Other DragonFly modules - www.cmsdreams.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


That's right, changes in cvs.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS

All times are UTC


Jump to: