bug in [code] rendering - backslash-zero renders as unprintable
by Orion Elenzil · in Site Feedback · 10/06/2009 (2:39 pm) · 8 replies
i have a resource which includes the very typical initialization of a char variable to '[backslash-zero]'. however, when rendered in the code-block, it displays as a little question-mark inside a diamond. when copied from "plain" mode, it copies as [[4acbb70b3666b]]. this seems pretty serious, as that's a very common construct in code snippets.
.. also, when i edited this post right here, the actual backslash-zero character-pair had been replaced, in the text edit box, by the question-mark-diamond thing. hence spelling out "blackslash zero"
ooo
.. also, when i edited this post right here, the actual backslash-zero character-pair had been replaced, in the text edit box, by the question-mark-diamond thing. hence spelling out "blackslash zero"
ooo
About the author
#2
www.garagegames.com/community/resources/view/18637
Why are these characters being deleted by the posts?
11/02/2009 (5:06 am)
Yeah, I noticed that backslash's themselves are being eaten by the [ code ] blocks as well, noted in this resource for destroying copy-paste'ability.www.garagegames.com/community/resources/view/18637
Why are these characters being deleted by the posts?
#3
Because it's a missing addslahes as opposed to a missing stripslashes (where everyone's quotations would end up looking like this: \'), this actually means that GG is *probably* vulnerable to an SQL injection, and should be taken care of ASAP. I'm linking this thread to them via the Contact Us page, to make sure someone see's it.
11/03/2009 (12:28 pm)
It's a fairly common bug with database driven websites, although *extra* slashes tend to be even more common. For example if the GG site is PHP driven, somewhere there's a missing addslashes before posts are stored in the database, but stripslashes is still being called when they're loaded.Because it's a missing addslahes as opposed to a missing stripslashes (where everyone's quotations would end up looking like this: \'), this actually means that GG is *probably* vulnerable to an SQL injection, and should be taken care of ASAP. I'm linking this thread to them via the Contact Us page, to make sure someone see's it.
#4
11/03/2009 (5:23 pm)
or, what is more likely, they have extra "stripslashes" before generating html, as I haven't seen any SQL-related errors while posting really hard-escaped code. 
#6
11/19/2009 (3:34 pm)
word.
#7
11/19/2009 (3:48 pm)
David Montgomery-Blake sent me an email, 15 days ago, after I submitted a bug report via the Contact Us form saying he'd have the web team look into it.
#8
Torque is now licensed by Torque. Yeah, Torque is great! They make Torque! Like that's not confusing. Wonder who came up with that bright idea.
11/19/2009 (4:55 pm)
Well, they're probably busy with more important matters. Like changing all the GarageGames references to TorquePowered or just "Torque". :/ Torque is now licensed by Torque. Yeah, Torque is great! They make Torque! Like that's not confusing. Wonder who came up with that bright idea.
Associate Orion Elenzil
Real Life Plus