MyBB Community Forums

Yes. Looks like 2 for every user.

Example:

UPDATE mybb_users SET `lastvisit`='1399991001', `lastactive`='1399991001' WHERE uid='34659' 

and

INSERT INTO mybb_sessions (`sid`,`uid`,`ip`,`location`,`time`) VALUES ('dokter__4uSrDaEaxBlABud','34658','','forumdisplay.php?fid=5','1399991001') 

On a side note, it's this 2nd query that broke MyBB when users used a ' in there username. I just made it so users couldn't put a ' in their username. For me it's no problem, 1 out of 5-10,000 users might try to use that character, but thought it was worth mentioning.

Not sure if other characters will break it or not, but that's the only one I've had issue with.

(2014-05-13, 02:25 PM)DrXotick Wrote: [ -> ]For me it's no problem, 1 out of 5-10,000 users might try to use that character

Wrong. I have told you already in another topic that the username isn't escaped with $db->escape_string() in the query so it's a high security risk - anyone is still able to attack your forum with SQL injection which can have serious consequences (unless you turn the plugin off or modify its code). Disallowing ' doesn't solve it at all, it's like fixing a leaking roof with a bucket on the floor where all the water is falling down.

In reference to the problem of crashing the forum, it does fix it.

Is there some suggestion you have to modifying the code to avoid SQL injection since Yaldaram is useless when it comes to maintaining his plugins or replying to issues.