Saturday, April 19, 2008

Mandriva 2008.1 Spring

Finally! The official spring version of Mandriva Linux was released last week. And as a great fan, I downloaded the 3 cd version and tried upgrading my system to see the cool new features.

Unfortunately, after inspecting my system, the installer warned me that it could not do a safe upgrade to 2008.1 and recommended that I do a fresh install instead. I have had enough problems after every system upgrade so I figured it would be best to do as advised. But I have been enjoying my box so much that it will take a lot of time to back up the data, install the new system and customize it...

So I guess I'll have to hold it back for a little longer...

Thursday, April 10, 2008

Noobs happen here

Kevin Turner came to Vietnam yesterday for the "Heroes happen here" events, in which he introduced the "new and innovative" 2008 solutions. But its companion website, http://www.heroeshappenhere.vn, is very much vulnerable to SQL injection.

Unclosed quotation mark before the character string '''.
Line 1: Incorrect syntax near '''.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string '''.
Line 1: Incorrect syntax near '''.

Source Error:

Line 21: cmd.CommandText="SELECT count(*) FROM Newletters WHERE Email='"+ txtEmail.Text+"'";
Line 22:
Line 23: int Count = (int)cmd.ExecuteScalar();
Line 24:
Line 25: if (Count > 0)


Source File: d:\hosting\heroeshappenhere\footer.ascx Line: 23

Stack Trace:

[SqlException (0x80131904): Unclosed quotation mark before the character string '''.
Line 1: Incorrect syntax near '''.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +925466
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +800118
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +186
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +1932
System.Data.SqlClient.SqlDataReader.ConsumeMetaData() +31
System.Data.SqlClient.SqlDataReader.get_MetaData() +62
System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +297
System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +1005
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +132
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +32
System.Data.SqlClient.SqlCommand.ExecuteScalar() +137
ASP.footer_ascx.cmdNewletter_Click(Object sender, EventArgs e) in d:\hosting\heroeshappenhere\footer.ascx:23
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +105
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +107
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746


Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433


M$ is still M$, after all...