I am currently creating a plugin for WordPress that will log errors in the admin area that may happen in a custom code. This log is not intended for PHP errors, which are already stored in debug.log.
It's more to help find configuration errors, for example if I have a looper for posts and I expect the post image to be set. like:
$post_img = get_the_post_thumbnail_url(123, 'full');
if ($post_img == false)
{
my_error_log ('No featured image set for post 123');
}
I'm showing this errors in a admin WP_List style so even editors could handle and solve such configuration errors.
Everything works great until i tried to catch $wpdb->last_error messages! Like:
$query = $wpdb->query ('DDELETE FROM ' . $wpdb->postmeta . ' WHERE meta_key = "custom_meta";');
if ($query === false)
{
my_error_log ('Failure in wpdb->query!<br><code>' . $wpdb->last_error .'</code>');
}
The DELETE command is intentionally incorrect to generate an error message!
It is written correctly in the database with
Failure in wpdb->query!<br><code>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DDELETE FROM wpdev_postmeta WHERE meta_key = "custom_meta"' at line 1</code>
But if i want to show the errors in the WP_LIST while getting the errors with function prepare_items and $wpdb->get_results('SELECT * FROM wp_my_error_log ....
i only get a 404 error and nothing is displayed!
While searching the server error log files (the right one ;-) ) I found the following line:
> [:error] [pid 803349:tid 139870349313792] [client 123.XXX.XXX.XXX:0]
> ModSecurity: Access denied with code 404 (phase 4). Pattern match "You
> have an error in your SQL syntax; check the manual " at RESPONSE_BODY.
> [file "/etc/modsecurity/conf.d/11_asl_data_loss.conf"] [line "96"] [id "361022"]
> [rev "2"] [msg "Atomicorp.com WAF Rules: Potential SQL Information Leakage"] [severity "ALERT"] [tag "no_ar"]
So does that mean ModSecurity thinks it's an SQL injection? And how should I log my error then?
So does that mean ModSecurity thinks it's an SQL injection? And how should I log my error then?
I don't think so.
Look at the log message:
ModSecurity: Access denied with code 404 (phase 4). Pattern match "You have an error in your SQL syntax; check the manual " at RESPONSE_BODY.
The key is the phase, which is 4 and the target: RESPONSE_BODY.
You are right that this is because of the ModSecurity (even more the used rule set), but it does not assume it's an SQL injection.
And how should I log my error then?
You should create an exclusion, which depends on URI/IP address/anything, and partially remove rule 361022, or the target RESPONSE_BODY at the rule.
It seems that this aspect of security is really important. Even Stackoverflow have a solution for this. It nested my posted error message above into special elements:
<code class="hljs language-vhdl">
<span class="hljs-literal">Failure</span>
<span class="hljs-keyword">in</span>
wpdb->query!<br><code>You have an
<span class="hljs-literal">error</span>
<span class="hljs-keyword">in</span>
your SQL syntax; check the manual that corresponds
<span class="hljs-keyword">to</span> your MySQL server version
<span class="hljs-keyword">for</span> the right syntax
<span class="hljs-keyword">to</span>
<span class="hljs-keyword">use</span>
near
<span class="hljs-symbol">'DDELETE</span>
FROM wpdev_postmeta WHERE meta_key =
<span class="hljs-string">"custom_meta"</span>
' at
<span class="hljs-literal">line</span>
<span class="hljs-number">1</span></code>
</code>
My solution was to replaced all spaces with the HTML entity . Then it also gets past the ModSecurity.
Related
I'm using Zeos and SQLite3 DB in Delphi
ZQuery2.Close;
ZQuery2.SQL.Clear;
ZQuery2.SQL.Add('SELECT * FROM users WHERE un = ' + QuotedStr( UserName ) );
ZQuery2.Open;
OutputDebugString(PWideChar( ZQuery2.FieldDefList.CommaText )); // log : id,un,pw
OutputDebugString(PWideChar(ZQuery2.FieldByName('pw').AsString)); //causes error sometimes
the code is working but sometimes I get the following error message
Exception class EDatabaseError with message 'ZQuery2:Field'pw' not found'.
This is odd because a field of a dataset shouldn't just disappear while the app is in the middle of running, especially if other fields are still operating normally. So, I would suspect something like a memory overwrite being the cause.
Memory overwrites usually happen when something is written to the wrong place in memory, overwriting what is there, usually because of an incorrect pointer value or a so-called "buffer overrun" where the writing operation carries on beyond where is should stop. Usually, the pointer value is so wildly wrong that the OS can detect it and raise an AV, but sometimes it is less obvious.
Delphi's memory manager has a 'full debug mode' which adds special checks for this condition, see here.
I suggest you enable full debug mode as per the linked document and wait for the exception to occur.
I was trying to make a website using perl dancer, below is my code. It seems to be correct but the page keeps loading and never enters the values in the database. When I cancel the page I get an error stating "request to POST /appform crashed: Can't call method "execute" on an undefined value". I can't figured out whats wrong in the code. If you have any other code please mention.
I am using SQLite for database.
There is a database campus.dband I am inserting the value in student table.
post '/appform' => sub {
my $q = CGI ->new;
my $name = $q->param ("firstname");
my $password = $q->param("password");
my $mobile_no = $q->param("mobile");
my $gender = $q->param("gender");
my $email = $q->param("email");
my $address = $q->param("address");
my $sslc = $q->param("SSLC");
my $hsc = $q->param("HSC");
my $cgpa = $q->param("cgpa");
my $languages = $q->param("lang");
my $internships = $q->param("intern");
my $preferred_loc = $q->param("country");
my $sql = "insert into student(name,mobile_no,gender,email,address,sslc,hsc,cgpa,languages,internships,preferred_loc,password,applied_job,company_applied) values ('?','?','?','?','?','?','?','?','?','?','?','?','?','?');";
my $sth = database->prepare($sql);
$sth->execute($name,$mobile_no,$gender,$email,$address,$sslc,$hsc,$cgpa,$languages,$internships,$preferred_loc,$password) or die $sth->errstr;
#$sth->execute();
$sth-> finish;
set_flash('New entry posted!');
redirect '/';
};
You're using the database keyword to get a database handle. I'm guessing that's coming from Dancer2::Plugin::Database (it would be useful if you could include information like this in your question).
The error says that you're calling execute() on an undefined value. You're calling execute() on the variable $sth. So $sth is undefined. You get $sth by calling prepare() on the database handle returned from database(). So it looks like the prepare() call is failing. You should check the return value from that call and throw an error if it fails.
The most common reason for prepare() to fail is that you're trying to compile an SQL statement that contains an error. I can't see any obvious error in your SQL, but it's worth checking it by running it manually against your database.
I see you're using bind params in your SQL statement. That's a great idea, but please note that you don't need to quote the question marks in your SQL - the database driver will handle that for you. I don't think that's what is causing your problem though.
I also see that you're using CGI.pm inside your Dancer app to get the request parameters. To be honest, I'm slightly surprised that it works - but it's a terrible idea. Dancer has its own keywords that will give you this information. Look at query_parameters(), body_parameters() and route_parameters() in the Dancer documentation.
In addition to the points made already, that your DBI prepare() call is probably failing (add error-checking to see why, e.g. my $sth = database->prepare('...') or die "DB error: " . database->errstr) and that you're using CGI.pm within a Dancer app (... don't do that, I'm surprised it would work at all - look at the Dancer documentation for how to access the params your app was sent), look also at the quick_insert convenience method provided by Dancer::Plugin::Database / Dancer2::Plugin::Database so that you don't have to write that SQL INSERT statement at all.
I connected to clickhouse with tableau.
A query like this
select * from table_name limit 1
returns fields of the table, even though it should return raws.
image
If I try
select subs_key from table name limit 1
And click preview results
preview results
I get the error from above(except cnt is replaced with subs_key or whatever field I try to select)
How can I actually view table data?
Edit
There is a connection to the db, but no table is shown in available schemas.
EDIT 2
I managed to connect and get data from an oracle and mysql database, but while I am connected to click house, I can't see any data.
Don't quote me on this but I believe tableau has not official support for clickhouse, at least I could not find anything to contradict this, tons of people asking for it but nothing concrete.
There might some sort of beta integration that's not yet stable, hence you problem, but this is just blind guessing.
What I can recommend, if you really need a UI and can't just use the cl client is using tabix:
https://github.com/smi2/tabix.ui
Its fully open source for now and should be pretty easy and straight forward to learn, there might be the odd bits of Russian here and there, but I believe its getting debugged and translated at quite a good pace.
I get the same error message when I use DBeaver.
SQL Error [47]: ClickHouse exception, Code: 47, e.displayText() =
DB::Exception: Unknown identifier: default_type, e.what() = DB::Exception
If it's not a coincidence, then it's a JDBC driver bug.
I have a website that uses Meteor 0.9. I have deployed this website on OpenShift (http://www.truthpecker.com).
The problem I'm experiencing is that when I go to a path on my site (/discover), then sometimes (though not always), the data needed are not fetched by Meteor. Instead I get the following errors:
On the client side:
WebSocket connection to 'ws://www.truthpecker.com/sockjs/796/3tfowlag/websocket' failed: Error during WebSocket handshake: Unexpected response code: 400
And on the server side:
Exception from sub rD8cj6FGa6bpTDivh Error: Match error: Failed Match.OneOf or Match.Optional validation
at checkSubtree (packages/check/match.js:222)
at check (packages/check/match.js:21)
at _.extend._getFindOptions (packages/mongo-livedata/collection.js:216)
at _.extend.find (packages/mongo-livedata/collection.js:236)
at Meteor.publish.Activities.find.user [as _handler] (app/server/publications.js:41:19)
at maybeAuditArgumentChecks (packages/livedata/livedata_server.js:1492)
at _.extend._runHandler (packages/livedata/livedata_server.js:914)
at _.extend._startSubscription (packages/livedata/livedata_server.js:764)
at _.extend.protocol_handlers.sub (packages/livedata/livedata_server.js:577)
at packages/livedata/livedata_server.js:541
Sanitized and reported to the client as: Match failed [400]
Can anyone help me to eliminate this error and get the site working? I'd be very grateful!
Tony
P.S.: I never got this error using localhost.
EDIT:
The line causing the problem the problem is this (line 41):
return Activities.find({user: id}, {sort: {timeStamp: -1}, limit:40});
One document in the activities collection looks like this:
{
"user" : "ZJrgYm34rR92zg6z7",
"type" : "editArg",
"debId" : "wtziFDS4bB3CCkNLo",
"argId" : "YAnjh2Pu6QESzHQLH",
"timeStamp" : ISODate("2014-09-12T22:10:29.586Z"),
"_id" : "sEDDreehonp67haDg"
}
When I run the query done in line 41 in mongo shell, I get the following error:
error: { "$err" : "Unsupported projection option: timeStamp", "code" : 13097 }
I don't really why this is though. Can you help me there as well? Thank you.
Make sure that you are passing an integer to skip and limit. Use parseInt() if need be.
You have a document on your website that does not match your check validation.
The validation you have is in app/server/publications.js:41
So the attribute in question exists in some way like Match.optional(Match.oneOf(xx)) but the document's attribute is neither of the values in Match.oneOf
You would have to go through your documents for the collection causing this and remove or correct the attribute causing this to match your check statement.
Update for your updated question.
You're running Meteor commands in the meteor mongo/mongo shell. The error you get is unrelated to the problem in Meteor, to sort in the mongo shell you would do activities.find(..).sort(), instead of activities.find(.., { sort : {..}). This is unrelated to the issue
The issue is most-likely that your id is not actually a string. Its supposed to be sEDDreehonp67haDg for the document you're looking for. You might want to use the debugger to see what it actually is.
I don't think you can use limit in client-side find queries. Removing limit from my query solves the problem. If you're looking for pagination, then you can either manually roll your own by passing a parameter to your Activities publication so that the limit is added to the server-side query along with an offset. There is also this pagination package.
We have a site in ColdFusion which integrates with a credit card provider using java components.
When calling a particular function on a java object:
<cfset ResponseObject = AgentObject.request(RequestObject, LogObject)>
Where ResponseObject, AgentObject and LogObject are java object created like:
<cftry>
<cfset AgentObject = createObject("java","com.providername.client.Agent")>
<cfcatch type="any">
Do something.
</cfcatch>
</cftry>
The following is outputted on the page and execution is halted.
<head>
<title>JRun Servlet Error</title>
</head>
<h1>500 Transaction fails verification<br>
BadRequest: Request fails verification checks<br>
BadCardNumber: Card length was 16, but we were expecting 0<br>
</h1>
<body>
Transaction fails verification<br>
BadRequest: Request fails verification checks<br>
BadCardNumber: Card length was 16, but we were expecting 0<br>
</body>
The error is expected (we're checking card details), but I don't seem to be able to catch it. A cftry and cfcatch has no effect, so I'm totally at a loss as to how I can handle this error and continue execution.
Can anyone help?
Cheers,
Tom
Edit - additional error information
I thought it may also be useful to post this stack trace. It's not accessible via Coldfusion, but instead is logged to a file as part of LogObject above presumably in the Java code:
com.providername.client.errors.VerifyErrorReport: Transaction fails verification
com.providername.client.errors.BadRequest: Request fails verification checks
com.providername.client.errors.BadCardNumber: Card length was 16, but we were expecting 0
at com.providername.util.CardInfo.verifyCardNumber(CardInfo.java:412)
at com.providername.util.CardInfo.validateCardInfo(CardInfo.java:789)
at com.providername.util.CardInfo.validateCardInfo(CardInfo.java:838)
at com.providername.client.Agent.setupTransaction(Agent.java:681)
at com.providername.client.Agent.setupTransaction(Agent.java:692)
at com.providername.client.Agent.request(Agent.java:281)
at sun.reflect.GeneratedMethodAccessor53.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:74)
at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:1634)
at cfprovidername2ecfc526409752$funcSENDXMLOBJECT.runFunction(D:\site\components\providername.cfc:210)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:344)
at coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47)
at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:290)
at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:254)
at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:56)
at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:207)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:169)
at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:1807)
at cftransactions2ecfc114461696$funcTRANSACTION.runFunction(D:\site\components\transactions.cfc:175)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:344)
at coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47)
at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:290)
at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:254)
at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:56)
at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:207)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:366)
at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:198)
at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:157)
at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:1594)
at coldfusion.tagext.lang.InvokeTag.doEndTag(InvokeTag.java:341)
at cfauthorise2dprovidername2ecfm1546743078._factor7(D:\site\payment\authorise-providername.cfm:224)
at cfauthorise2dprovidername2ecfm1546743078._factor27(D:\site\payment\authorise-providername.cfm:164)
at cfauthorise2dprovidername2ecfm1546743078._factor30(D:\site\payment\authorise-providername.cfm:91)
at cfauthorise2dprovidername2ecfm1546743078.runPage(D:\site\payment\authorise-providername.cfm:1)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349)
at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1915)
at cfauthorise2ecfm767248619.runPage(D:\site\payment\authorise.cfm:10)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349)
at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1915)
at cftemplate2ecfm1091873885._factor4(D:\site\server\template.cfm:247)
at cftemplate2ecfm1091873885.runPage(D:\site\server\template.cfm:1)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349)
at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1915)
at cfapplication2ecfm1526755454._factor31(D:\site\application.cfm:673)
at cfapplication2ecfm1526755454.runPage(D:\site\application.cfm:1)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349)
at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1915)
at cfApplication2ecfm1608241748.runPage(D:\site\payment\Application.cfm:30)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349)
at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:172)
at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:51)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:86)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:69)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:115)
at coldfusion.CfmServlet.service(CfmServlet.java:107)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204)
at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426)
at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
I'm a bit late to the party on this, but what you're getting is not a JRun error per se. It seems that the error is thrown in the JRE and JRun is showing it as a "Servlet Error". Notice the lines in your stack trace:
com.providername.client.errors.VerifyErrorReport: Transaction fails verification
com.providername.client.errors.BadRequest: Request fails verification checks
com.providername.client.errors.BadCardNumber: Card length was 16, but we were expecting 0
at com.providername.util.CardInfo.verifyCardNumber(CardInfo.java:412)
That looks like an error thrown by the CardInfo class within verifyCardNumber() on line 412. I think JRun just serves the error as a "Servlet Error" because there's a hard stop in com.providername.client.errors.VerifyErrorReport.
This also might be the reason your <cfcatch> won't catch that exception. The Java class might catch that error and throw that exception within Java which causes that ugly JRun 500 error.
If you don't have the source of the Java to inspect why you're getting that exception in CardInfo, then you should contact the people who own the source to see if they have any insight.
I hope this is in some way helpful to you.