Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-7765

Error with SQL injection because of Comment field length

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.7
    • Fix Version/s: 1.7.2
    • Component/s: Installation
    • Labels:
      None
    • Environment:
      Windows XP SP2, Apache 2.2.3, PHP 5.2.0, MySQL 5.0.27

      Description

      This problem as well as another installation problem are described in this forum http://moodle.org/mod/forum/discuss.php?d=58264

      During the database installation an error will occur with some of the comments for a table or column within a table with the error 1105
      See the example error below:

      (mysql): ALTER TABLE mdl_log_display COMMENT='For a particular module/action, specifies a moodle table/field' 1105: Too long comment for table '#sql-e0c_f9'

      ADOConnection._Execute(ALTER TABLE mdl_log_display COMMENT='For a particular module/action, specifies a moodle table/field', false) % line 889, file: adodb.inc.php
      ADOConnection.Execute(ALTER TABLE mdl_log_display COMMENT='For a particular module/action, specifies a moodle table/field') % line 71, file: dmllib.php
      execute_sql(ALTER TABLE mdl_log_display COMMENT='For a particular module/action, specifies a moodle table/field', true) % line 1737, file: dmllib.php
      execute_sql_arr(Array[235]) % line 548, file: ddllib.php
      install_from_xmldb_file(C:\Inetpub\wwwroot\Moodle/lib/db/install.xml) % line 147, file: index.php

      This error occurs with several of the COMMENT fields for either tables or columns, I found three during my installation test:
      Line 85 of /moodle/mod/forum/db/install.xml
      Line 275 of /moodle/mod/quiz/db/install.xml
      Line 7 of /moodle/blocks/rss_client/db/install.xml

      My own analysis:
      I ran into this same problem (the adodb error) when doing an install on a test machine (WinXP, Apache 2.2, MySQL 5.0.27, PHP 5.2.0) using the latest Moodle build (1.7+) (not CVS), which seems to have something to do with comment field length being limited in MySQL (atleast in Windows?) and the Comment fields that are called in the XML files being too long. The installer for Moodle, on errors, then tries to reinstall the same information for the section that was being installed (i.e. quizzes, forums, etc, whatever SQL injection it was at when the error occured) when the comment error was reached and also to reinstall into the log_display table, resulting in duplicate key errors like those reported in forum posts (examples here:http://moodle.org/mod/forum/discuss.php?d=57513 and here:http://moodle.org/mod/forum/discuss.php?d=58775).

      Work arounds were described by Gordon Bateson in the forum post, which included:
      1. open "lib/adodb/adodb.inc.php" with a text editor
      2. locate the following lines (around line 886):
      function &_Execute($sql,$inputarr=false)
      {
      3. change the above lines to the following:
      function &_Execute($sql,$inputarr=false)
      {
      $sql = preg_replace("/COMMENT='.*?'/", "COMMENT=''", $sql);
      i.e. add the last line which removes comments from the $sql
      4. save the modified "lib/adodb/adodb.inc.php"

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  30/Mar/07