The registration process of my gallery is resulting in a critical error. Only registration appears to cause the issue, I'm not experiencing it anywhere else.
QuoteCritical error
Script called without the required parameter(s). (username)
Website is -- www.londonallstars.co.uk/gallery
Username is: testing
Password is: testing
Debug mode is enabled.
Any help greatly appreciated.
Thank you.
Please upgrade to the latest stable release (currently cpg1.5.22) and report if the issue still exists.
I hadn't done so as the release states it is not essential. I will do so though.
Are you aware that the date for the new update is wrong on the news section?
Quote2011-08-01: cpg1.5.22 has been released. It fixes various issues, so all users of the cpg1.5.x series are encouraged to upgrade. The upgrade is not security-related.
I am about to upgrade but wanted to add that I just noticed the following in my Coppermine database logs:
QuoteWhile executing query 'SELECT cid FROM cpg_categories WHERE lft BETWEEN AND ' in include/functions.inc.php on line 54 the following error was encountered:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND' at line 1
Quote from: cyberdyne2 on March 20, 2013, 12:30:11 PM
Are you aware that the date for the new update is wrong on the news section?
Fixed. Thanks.
OK update. Process seemed to go well but still receiving error on registration:
QuoteCritical error
Script called without the required parameter(s). (username)
File: [removed]/gallery/register.php - Line: 460
Site details remain as above.
Please open register.php, find
$user_name = trim(get_post_var('username'));
and above, add
print_r($superCage->post->_source);print_r(trim($superCage->post->getEscaped('username')));pagefooter();die();
This won't fix your issue but prints the content of POST data. After you confirm to you have applied the change I'll try again to register in your gallery to see the new output.
Change made.
My output after the change was:
Array ( [username] => NewUser [password] => password [password_verification] => password [email] => test@fu.fu [user_profile1] => none [user_profile2] => none [agree] => 1 [confirmCode] => WPTRE [submit] => Submit registration )
Please replace the new line with
print_r($superCage->post->_source);print_r($superCage->post->getRaw('username'));pagefooter();die();
Quote from: Αndré on March 20, 2013, 02:03:32 PM
Please replace the new line with
print_r($superCage->post->_source);print_r($superCage->post->getRaw('username'));pagefooter();die();
Done.
It seems that there's an issue with the getEscaped method, the trim function or their combination.
Please replace the new line one more time with the following lines:
echo "<hr />trim(getEscaped): ";print_r(trim($superCage->post->getEscaped('username')));
echo "<hr />getEscaped: ";print_r($superCage->post->getEscaped('username'));
echo "<hr />trim(getRaw): ";print_r(trim($superCage->post->getRaw('username')));
echo "<hr />getRaw: ";print_r($superCage->post->getRaw('username'));
echo "<hr />";pagefooter();die();
Quote from: Αndré on March 20, 2013, 02:55:18 PM
Please replace the new line one more time with the following lines:
echo "<hr />trim(getEscaped): ";print_r(trim($superCage->post->getEscaped('username')));
echo "<hr />getEscaped: ";print_r($superCage->post->getEscaped('username'));
echo "<hr />trim(getRaw): ";print_r(trim($superCage->post->getRaw('username')));
echo "<hr />getRaw: ";print_r($superCage->post->getRaw('username'));
echo "<hr />";pagefooter();die();
Done.
Thank you for your time André
Output is
Quotetrim(getEscaped):
getEscaped:
trim(getRaw): André
getRaw: André
which means that the getEscaped function doesn't work for you. It does basically
return mysql_real_escape_string(htmlspecialchars($value, ENT_QUOTES));so lets try to figure out what exactly is wrong.
Updated code:
$_POST = $superCage->post->_source;
echo "<hr />mysql_real_escape_string(htmlspecialchars({$_POST['username']}, ENT_QUOTES)): ".mysql_real_escape_string(htmlspecialchars($_POST['username'], ENT_QUOTES));
echo "<hr />htmlspecialchars({$_POST['username']}, ENT_QUOTES): ".htmlspecialchars($_POST['username'], ENT_QUOTES);
echo "<hr />htmlspecialchars({$_POST['username']}): ".htmlspecialchars($_POST['username']);
echo "<hr />mysql_real_escape_string({$_POST['username']}): ".mysql_real_escape_string($_POST['username']);
echo "<hr />";pagefooter();die();
Quote from: Αndré on March 20, 2013, 03:07:55 PM
Updated code:
$_POST = $superCage->post->_source;
echo "<hr />mysql_real_escape_string(htmlspecialchars({$_POST['username']}, ENT_QUOTES)): ".mysql_real_escape_string(htmlspecialchars($_POST['username'], ENT_QUOTES));
echo "<hr />htmlspecialchars({$_POST['username']}, ENT_QUOTES): ".htmlspecialchars($_POST['username'], ENT_QUOTES);
echo "<hr />htmlspecialchars({$_POST['username']}): ".htmlspecialchars($_POST['username']);
echo "<hr />mysql_real_escape_string({$_POST['username']}): ".mysql_real_escape_string($_POST['username']);
echo "<hr />";pagefooter();die();
I got the same results.
Update done.
Quotemysql_real_escape_string(htmlspecialchars(André, ENT_QUOTES)):
htmlspecialchars(André, ENT_QUOTES): André
htmlspecialchars(André): André
mysql_real_escape_string(André):
If we don't use mysql_real_escape_string (http://www.php.net/manual/en/function.mysql-real-escape-string.php) it works as expected. What's your PHP version? Do you find anything at the phpinfo (http://www.londonallstars.co.uk/gallery/phpinfo.php) about that function?
Quote from: Αndré on March 20, 2013, 03:16:33 PM
If we don't use mysql_real_escape_string (http://www.php.net/manual/en/function.mysql-real-escape-string.php) it works as expected. What's your PHP version?
PHP Version 5.2.9
Quote from: Αndré on March 20, 2013, 03:16:33 PMDo you find anything at the phpinfo (http://www.londonallstars.co.uk/gallery/phpinfo.php) about that function?
Nothing found relating to that, no. I will look again but a search found nothing.
Can I PM you a link to a php info page ?
Quote from: cyberdyne2 on March 20, 2013, 03:26:56 PM
Can I PM you a link to a php info page ?
I'll send you my contact details directly after this post. But as I'm not sure if I'll find anything helpful, please also ask your hosting provider what could be wrong with that function in the meanwhile.
OK, will do. Thank you André
Does this help? I don't know enough about MySql / PHP to know if this alternative code would make a difference.
Thank you.
QuotePut mysql_connect("host", "user", "pass") or die('save_failed'); before mysql_real_escape_string.
http://stackoverflow.com/questions/7803522/mysql-real-escape-string-works-in-localhost-but-not-on-webserver
I had no luck with the server host unfortunately André. Their reply was as follows:
QuoteI am not aware of any server changes that would have affected this function, and we have not had any similar reports of problems with this function from other users on that shared server. If it does not affect site functionality or security in anyway, I would suggest you stick with the alternate approach that was show to work in the support thread while you are establishing if there is a cause in the application for this.
Reading the link referenced at http://stackoverflow.com/questions/7803522/mysql-real-escape-string-works-in-localhost-but-not-on-webserver I am wondering if you would need to make sure you are opening the database connection prior to calling the 'mysql_real_escape_string'. You might want to check if you
are connecting via localhost or by the external IP. If you are using the external IP, maybe switching to localhost might make a difference?
Any idea where I can get help to fix this please?
Coppermine is already connected to the database at this point, so I don't think it will solve your issue. But you could try to add $CONFIG['LINK_ID'] as link_identifier to the mysql_real_escape_string function in include/inspekt.php. This means, find
return mysql_real_escape_string(htmlspecialchars($value, ENT_QUOTES));
and replace with
global $CONFIG;
return mysql_real_escape_string(htmlspecialchars($value, ENT_QUOTES), $CONFIG['LINK_ID']);
(untested).
Quote from: Αndré on March 20, 2013, 07:34:52 PM
Coppermine is already connected to the database at this point, so I don't think it will solve your issue. But you could try to add $CONFIG['LINK_ID'] as link_identifier to the mysql_real_escape_string function in include/inspekt.php. This means, find
return mysql_real_escape_string(htmlspecialchars($value, ENT_QUOTES));
and replace with
global $CONFIG;
return mysql_real_escape_string(htmlspecialchars($value, ENT_QUOTES), $CONFIG['LINK_ID']);
(untested).
Αndré, thank you so much, this did in fact solve the problem and all seems well now.
Again, thank you very much for your time.
It seems that you're the first problem facing this issue. However, as I don't think it will harm anything, this change will probably be a part of the next release of cpg1.5.x.
Quote from: Αndré on March 20, 2013, 07:57:23 PM
It seems that you're the first problem facing this issue. However, as I don't think it will harm anything, this change will probably be a part of the next release of cpg1.5.x.
I'm glad to hear that if nothing else I manage to uncover a possible bug :)
If possible, would you be able to remove my directory name (between /home/ and public_html/) from my previous post please?
http://forum.coppermine-gallery.net/index.php/topic,76112.msg367364.html#msg367364
Thank you
Path removed.
Quote from: Αndré on March 20, 2013, 08:02:40 PM
Path removed.
Thank you André, have a good reast of the week ;)
Committed fix in SVN revision 8550.
As the above change breaks the installer for me, I replaced the code with
global $CONFIG;
if ($CONFIG['LINK_ID']) {
return mysql_real_escape_string(htmlspecialchars($value, ENT_QUOTES), $CONFIG['LINK_ID']);
} else {
return mysql_real_escape_string(htmlspecialchars($value, ENT_QUOTES));
}
in SVN revision 8573.