Fuddland

I really am confused.

When I first tried posting the previous entry—even when attempting to preview it—MT kept throwing up an internal server error [code 500, for all you HTTP status code fans]. After some investigation, involving writing a couple of dummy test posts, it seemed that it was something in the text of the entry itself that was causing the problem. I started again, pasting the text in paragraph by paragraph, and discovered that this was the problematic string:

Just fill in this form with your name and address, make out £2 payments to each of the names listed below, insert in to an envelope along with correct number of postage stamps and post to adddress given below.

In fact, I can be more specific: it’s the string “insert in to”, which [the generally poor grammar of the text I was quoting aside] should say “into” not “in to”. Except that putting “into” next to “insert” caused the server error. Changing it to “insert in to” got rid of the error. So did changing it to “put into”, which is even more bizarre. I’m at a complete and utter loss to explain why the word “insert” followed by “into” causes MT [version 3.11] to give up the ghost, but it’s happening even with this entry, and even with a completely blank entry save for those two words.

#1

Adam Sampson | 2004 / 09 / 28 – 14:45

Well, INSERT INTO is how you’d start an INSERT operation in SQL. Maybe it’s trying to detect people who’re attempting to abuse the MT scripts, and being a bit overenthusiastic about it?

(Hey, look, it does it in comments too — I needed to break up INTO with a tag to get this through…)

#2

David | 2004 / 09 / 28 – 14:50

Re #1: Indeed, mrtn [currently “blogger without portfolio” :)] pointed out the same thing, and discovered that DELETE FROM also breaks it. I’ve submitted a bug report in the MT forum, if only to see if anyone else can reproduce this.

#3

Lyle | 2004 / 09 / 28 – 16:42

Yeah, it’s definitely SQL related. You’d probably find that “Select * from” knackers it too.

EDIT : Well, it would do if I hadn’t broken that up with nbsp’s. *grin*

[Edited by commenter — 16:43]

#4

David | 2004 / 09 / 28 – 16:47

Re #3: Actually SELECT * FROM gets through fine; so far, it appears to be only INSERT INTO and DELETE FROM which cause problems. And at least one other person has no trouble using these strings, so there’s something screwy with my configuration. :(

#5

Lyle | 2004 / 09 / 28 – 16:54

Hmm, interesting. Does UPDATE something WHERE knacker it at all?

I’d suspect it’s not just your config that’s chuffed - it certainly makes me want to go and play on other people’s MT blogs.

God I’m sad…

#6

David | 2004 / 09 / 28 – 17:23

Re #5: It would appear not, assuming “something” is one of the tables in the database, e.g. UPDATE mt_log SET log_id = 0 WHERE log_id = 1 [I really don’t know much about mySQL!]. Suffice to say, anything that gets through in these comments is also fine in the entry-creation process.

#7

Daisy | 2004 / 09 / 30 – 12:22

“blogger without portfolio”? Genius!

#8

graeme | 2004 / 09 / 30 – 20:15

This seems to be an example of, or at least related to, the practice of “SQL Injection” which I was reading up on the other day (what can I say - i need to get out more). Try reading thru this article:

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

Then go and have some fun with some web forms.

#9

David | 2004 / 09 / 30 – 20:42

Re #8: Thanks for the link Graeme. A nice chap called Leon saw my post on the MT forum and contacted me to let me know that he had the same problem, and it was due to his hosts using a rather aggressive Apache filter called ModSecurity which prevents text such as the examples above getting through. I’ve let my own hosts know and, if they use the same or a similar product, I guess it’s really up to them whether they want to relax some of the filters. Until then, not much I can do except not use those strings!

Commenting on this post is closed. Thanks to all those who left comments. If you'd still like to say something about this entry, feel free to email me.