I added the quote in there.
posted by jessamyn (staff) at 5:03 PM on September 22, 2006

Thanks, but the bug's that it fell out in the first place. Oh! I had a double dash in the body of the quote, which is also the begin comment token in SQL. Maybe that's what did it?

(And the quote really should, to be fair and clear, be attributed -- without the attribution to Lieberman, it gives the impression it's a quote from the woman denied EC.)
posted by orthogonality at 5:11 PM on September 22, 2006

I added the attribution and took out the double quotes [I think it's clear that it's a quote] and it seems like the double quotes might do something weird to that field and mathowie will have to check that out.
posted by jessamyn (staff) at 5:16 PM on September 22, 2006

yeah, the quotation marks don't get escaped in titles and blow the sql just for titles.
posted by mathowie (staff) at 5:19 PM on September 22, 2006

Yeah, the "--" token after the double quotes must have commented out the remainder of some SQL statement. What's strange is the insert (or update?) SQL succeeded at all.
posted by orthogonality at 5:20 PM on September 22, 2006

Sorry, I previwed it and figured that since the preview page didn't complain, it was OK.
posted by orthogonality at 5:21 PM on September 22, 2006

Also, Pastabagel's act is getting a little tired.
posted by empath at 5:31 PM on September 22, 2006 [1 favorite]

Oh. Matt: this is potentially a security hole allowing a SQL injection attack. (Which I won't try to test :) for obvious reasons, but I think I there's a SQL statement that could make this reveal user passwords.)
posted by orthogonality at 5:36 PM on September 22, 2006

I think I there's a SQL statement that could make this reveal user passwords.

Or delete accounts, posts etc, I would guess. Nasty.
posted by matthewr at 5:42 PM on September 22, 2006

matthewr writes "Or delete accounts, posts etc, I would guess. Nasty."

Possibly, but if it's only within an insert or update statement, I can't see a way to do a delete with straight SQL. I can see a way to do some revealing, though (which I won't post, of course). Well, maybe you could do a delete, but not with only built-in SQL; you'd have to call something that did it.
posted by orthogonality at 5:50 PM on September 22, 2006

Why is that title there at all? It had absolutely nothing to do with the post. My car sports a Ned Lamont sticker; I'm all for bashing Joementum, but it's completely off topic.
posted by Saucy Intruder at 6:21 PM on September 22, 2006

Saucy Intruder writes "Why is that title there at all? It had absolutely nothing to do with the post."

Joe's remark argued that it didn't matter if any particular hospital refused to provide emergency contraception, because (he said) there are plenty of other near-by hospitals that will.

The linked story is evidence that refutes Joe's argument.

booksandlibretti (a poster I've always found pretty articulate) argued that Joe's comment only refers to Connecticut, not to Ohio, where the women in the linked article couldn't get EC. My response to that is that as a US senator, Joe's beliefs result in laws that apply to Ohio as well as Connecticut.
posted by orthogonality at 6:36 PM on September 22, 2006

Bit of a derail here...

orthogonality, I was assuming that you could terminate the SELECT with a ';' or similar, and then add a DELETE statement or worse. Also, depending on the library and DB, perhaps a DELETE could be embedded as a subquery (MySQL's documentation doesn't seem to rule this out, though why you'd ever want a DELETE as a subquery I don't know).

No idea if ColdFusion supports any of these kind of things, though.
posted by matthewr at 6:41 PM on September 22, 2006

Incidentally, I generally like to make the title a bit arch or coy or allusive, and I've been trying to experiment with more elliptical posts, as this one which has nothing to do with Our Town or Grover's Corners or Thornton wilder, but uses the closing dialogue of that play as a linking device or bridge for articles on sleep deprivation and torture.

matthewr writes "orthogonality, I was assuming that you could terminate the SELECT with a ';' or similar, and then add a DELETE statement or worse. Also, depending on the library and DB, perhaps a DELETE could be embedded as a subquery (MySQL's documentation doesn't seem to rule this out, though why you'd ever want a DELETE as a subquery I don't know). "

Um. Yeah, I'm wrong and you're right, you could terminate the statement and follow with an arbitrary statement. A delete shouldn't be allowed in a subquery (but I can't readily find a BNF for MySQL), but yes, even MySQL allows subqueries and that's what I was thinking of without wanting to spell it out lest script kiddies read it.
posted by orthogonality at 6:52 PM on September 22, 2006

I've been trying to experiment with more elliptical posts

*runs screaming*
posted by mediareport at 6:54 PM on September 22, 2006

that's what I was thinking of without wanting to spell it out lest script kiddies read it

Yup, I should probably engage brain before opening mouth.
posted by matthewr at 7:02 PM on September 22, 2006

what empath said.
posted by Hat Maui at 11:36 PM on September 22, 2006

You might want to fix that. Like, now. Unescaped stuff going in SQL = very, very bad, at least once people know about it.
posted by reklaw at 4:24 PM on September 23, 2006

You are not logged in, either login or create an account to post comments