FAQ Module - Search problem

[keitarobr]

Dear all,

we've identified the following logs in our OTRS:

Message: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation 'like', SQL: 'SELECT i.id, count( v.item_id ) as votes, avg( v.rate ) as vrate FROM faq_item i LEFT JOIN faq_voting v ON v.item_id = i.id LEFT JOIN faq_state s ON s.id = i.state_id WHERE i.valid_id IN (1) AND s.type_id IN (3) AND LOWER(i.f_keywords) LIKE LOWER('%configuraäÛÎÔÛÜ<U+009D>^P<U+009E>OPØ]^YYÛÜ<U+009E>NÓÜ<U+0099>^Y\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\<U+008F>QESCÝÛ<U+008E>ÔÝ^X\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\<U+009D>^R^Z]^OL%') AND i.approved = 1 GROUP BY i.id, i.f_subject, i.f_language_id, i.created, i.changed, s.name, v.item_id ORDER BY i.changed DESC, i.id DESC LIMIT 200'


Looks like some robot from a remote IP ( 5.10.83.94 ).

My question is: shouldn't the FAQ work with param binding, to prevent SQL injection? I've looked into the code and it does not use such feature. This is a serious security issue in a web system.

[jojo]

I can see now issue of a remote SQL injection here. But it seems that your database and/or tables are not utf8.

Also please always tell which OTRS and module version you are using