Ben224 Posted December 19, 2012 Share Posted December 19, 2012 Hi there I was met with this monster error message this morning. Can anyone (Bsmither?) help figure out what is going wrong? File: [catalogue.class.php] Line: [1091] "SELECT I.* FROM CubeCart_inventory AS I LEFT JOIN (SELECT product_id, MAX(price) as price, MAX(sale_price) as sale_price FROM CubeCart_pricing_group WHERE group_id = 0 GROUP BY product_id) as G ON G.product_id = I.product_id WHERE I.product_id IN (SELECT product_id FROM `CubeCart_category_index` as CI INNER JOIN CubeCart_category as C where CI.cat_id = C.cat_id AND C.hide = 0) AND I.status = 1 AND (I.name RLIKE '[[:<:]]e**[[:>:]]' OR I.description RLIKE '[[:<:]]e**[[:>:]]' OR I.product_code RLIKE '[[:<:]]e**[[:>:]]') LIMIT 20 OFFSET 0 " - Got error 'repetition-operator operand invalid' from regexp Thanks in advance! Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 19, 2012 Share Posted December 19, 2012 You were met with that error message -- where? Any idea who or what was going on at the time the message was generated? This query is the result from the the routine that builds up the query from search terms submitted. The only thing that looks suspicious is the e** which could happen, I think, when a search is made and the searcher believes that wildcards can be used. Some search engines permit wildcards, others will remove everything but letters and numbers and utilize their own means of wildcarding, So, by entering e*, hoping to get everything that starts with the letter e, CubeCart may be failing to properly sanitize the search terms before adding it's own means of wildcarding. I'll get back to this. Quote Link to comment Share on other sites More sharing options...
Ben224 Posted December 19, 2012 Author Share Posted December 19, 2012 The message appeared via the system error tab in CC dashboard. I have no idea what was going on at the time the error was generated so I cant offer any more explanation than I have. I appreciate you looking at this. Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 19, 2012 Share Posted December 19, 2012 I'll have to do some experiments, but it seems that, yes, CubeCart as of 515, does not sanitize Regular Expression syntax against unwarranted usage of what would be characters that need escaping if to be taken literally. So, 'e**' was probably someone's child playing on their parent's computer. Or maybe a typo when 'e88' was wanted. I'll submit a bug report. In the meantime, know that the search submission is properly safened against malicious script injection even though any of the words may confuse the RegExp engine. Ignore the error message. Quote Link to comment Share on other sites More sharing options...
Ben224 Posted December 19, 2012 Author Share Posted December 19, 2012 Thanks for looking at this and thanks for the clarity. I will delete the error log. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.