Using 3.2.12
After adding uploading a new file via filezilla and going into the Control panel for jDownloads we get the following error:
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm-Brown-partial.pdf'' at line 1 SQL=SELECT cat_id FROM jml_jdownloads_files WHERE url_download = 'Because-I'm-Brown-partial.pdf'</title>
Now this was resolved by removing the ' from the file name, and I realize that special characters in a file name are bad... (they keep forgetting that.) However shouldn't jDownloads be "escaping" the input, or using some method so that the fields are treated as literal strings?
I mention this, because I can see this as a potential security risk. Now, I do see there is a new update to jDownloads, however that was not applied at the time this occurred.
Hi,
sorry for the late reply.
So when i have understand it correctly, the uploaded file had single quote characters in the file name?
What for configuration settings use you for 'folders and files'?
I will check this here again...
Hi,
this problem is fixed in the next beta 3.2.15.
From now an are in the monitoring function files with a single or double quote character in the filename ignored!