Insert into Post fails

  • This is really bizarre. I was having the problem with uploading images, which I fixed with the .htaccess fix from the sticky, but clicking on the Insert into Post button failed (got a generic website configuration 500 error page, but nothing interesting in the log).

    In the course of investigating this, I found that if I put the words “Insert into Post” in the editor and try to save the post…it blows up! (same 500 error).

    It doesn’t matter whether there are other words in the post, and it has to be those words in that order. “Insert in Post” is ok, “Post into Insert” is ok, etc. But “Insert into Post” throws an error every time.

    Further experiment seems to show that it’s “Insert into” itself that’s the culprit. If I break those up with non-whitespace, it works instead of erroring. It appears that somewhere there’s a regex that’s scanning the incoming text on a save and picking out “Insert into”, maybe thinking it’s an SQL statement?

Viewing 4 replies - 1 through 4 (of 4 total)

  • Wow, that’s interesting. Maybe it will lead to a solution?

    Bingo! There’s your problem.

    The function “attribute_escape()” in in the file “media.php” treats the string “Insert into” as attempt to insert an SQL command into the db.

    The solution is simply to change the wording from “Insert into” to something else that doesn’t mimic an SQL command.

    Nice find jamused!

    I think this will also solve or avoid having to .htaccess out the security mod.

    Same problem here – though I got a 404 HTTP error – not a 500 (WordPress 2.7.1). And changing “Insert into post” to “Insert media into post” worked great. Alternatively maybe it would work just changing it to “Insert into post” (Replacing some chars with HTML entities) – haven’t tried.

    For people who want to do this the file you want to edit is located here:
    wp-admin/includes/media.php

    There are several places in this file where you need to edit.

    Someone should fix this in a later version of WordPress. Even though it only affects some people, it stupid to put something there that just might break.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    Really? If your mod_security isn’t allowing the word “insert” to come over POST channels, then you’ve got bigger issues. What if you want to use the word “insert” in a normal post? Or “update”?

    Disabling mod_security is the simplest fix, or getting your host to use sane mod_security rulesets would be better.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Insert into Post fails’ is closed to new replies.