MyBB Community Forums

MyBB Version 1.6.9
PHP Version 5.3.3
SQL Engine MySQLi 5.0.95

MyBB has experienced an internal SQL error and cannot continue.

SQL Error:
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm lost.......','170','1358340380')' at line 3
Query:
INSERT INTO mybb_tapatalk_push_data (author,user_id,data_type,title,data_id,create_time) VALUES ('cowboy from hell','2','quote','I'm lost.......','170','1358340380')
Please contact the MyBB Group for support.

That's not Google SEO, but Tapatalk (or whatever has a mybb_tapatalk_push_data table). And that error is a security issue.

That looks more like a problem with a tapatalk plugin rather than Google SEO.

EDIT: ninja'd by frostschutz

Right-o. Tapatalk 3.2.1 doesn't properly sanitize SQL queries. That's the current version on their site, version here in the mods database is outdated and doesn't have that particular piece of code yet.

Take it up with them. (And best to deactivate the plugin as long as the issue isn't fixed.)

I see, should I downgrade to the mybb offered version?

No, you should talk to whoevers responsible at tapatalk

ok, sorry for pointing the finger at the wrong culprit, just hadn't seen it until after a switch to seo

Their fix doesn't fix anything by the way.

you're referring to the post I commented on on their board?

---

They released a version 3.2.1 today that they claim fixes it.

That's the same 3.2.1 I was looking at in post #4 already. This is what they do:

$str = $db->escape_string($str);
return html_entity_decode($str, ENT_QUOTES, 'UTF-8');

After going to all the trouble of quoting quotes, what is the point if you unquote right afterwards?

This is screaming SQL injection to me, but of course, I haven't actually tried it. It may be safe still due to some circumstance, but the point is, you just don't do things like modifying an already sanitized string.

If it failed on ' before, what happens now if you give it ' ' ' ' etc.