id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,difficulty
3799,"sql injection, error in your SQL syntax;",plet,,"This is what i received from a hacker. I use Release - 1.7.7, Versie - 2010071002 (I know I need to update):


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[sql])) AND ( (e.access_id IN (2)
OR (e.owner_guid = -1)
OR (
e.acces' at line 7

QUERY: SELECT count(DISTINCT e.guid) as total FROM elgg_entities e JOIN elgg_metadata md on e.guid = md.entity_guid JOIN elgg_metastrings msn on md.name_id = msn.id JOIN elgg_metastrings msv on md.value_id = msv.id WHERE (msn.string IN (""tags"",""interests"",""location"",""skills"") AND msv.string = 'someword' AND ( (md.access_id IN (2)
OR (md.owner_guid = -1)
OR (
md.access_id = 0
AND md.owner_guid = -1
)
) and md.enabled='yes')) AND (e.site_guid IN (1)) AND (e.container_guid IN (7826[sql])) AND ( (e.access_id IN (2)
OR (e.owner_guid = -1)
OR (
e.access_id = 0
AND e.owner_guid = -1
)
) and e.enabled='yes')
",Defect,closed,normal,Needs Review,Core,1.7,minor,worksforme,,brett@…,