MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > Archived Bug Reports > MyBB 1.2.3 > [F] Quote/Apostrophe in usernames
Full Version: [F] Quote/Apostrophe in usernames
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Yumi

2007-04-13, 04:45 AM
A small thing - one of my users had an apostrophe (') in their username. I had trouble dealing with the Merge Users function with this user. Renaming the user without the (') worked however.

Not a big thing, but I thought I'd just report it in Toungue
Thanks again for the wonderful BB!

Ryan Gordon

2007-04-21, 04:46 PM
I cannot replicate this

Yumi

2007-04-23, 12:13 PM
Confused

Just tried: Made a user test's and a user test2

Merged test's into test, after the confirmation, I get this:
Quote:MySQL error: 1064
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's'' at line 1
Query: UPDATE mybb_forums SET lastposter='test2' WHERE lastposter='test's'

Also noticed a similar issue with theme names, but then, that could be a problem with the theme Toungue

Ryan Gordon

2007-04-23, 02:36 PM
Use this:

Ryan Gordon

2007-04-23, 02:36 PM
This bug has been fixed in the latest code.

Please note the latest code is not live on the site or for download. An update will be released which contains this fix.

Coolv

2007-05-09, 02:06 AM
Isn't it possible for someone to take advantage of using quotes and single quotes in user names and use an SQL exploit? You have to fix all instances of the username being unescaped when being used in a query to the database. Otherwise, someone may "trick" an administrator into running an SQL query using a specially-constructed username, or be a nuisance due to SQL errors. Do you understand what I mean?

Ryan Gordon

2007-05-09, 02:51 AM
Possible, but 99% unlikely. First of all, you need to be an administrator, and second you'd have to find an exploit that'll fit into the max length of a Username and third the administrator would have to be not knowledgeable enough to not even ban the user in the first place.

Chris Boulton

2007-05-09, 02:55 AM
Coolv Wrote:Isn't it possible for someone to take advantage of using quotes and single quotes in user names and use an SQL exploit? You have to fix all instances of the username being unescaped when being used in a query to the database. Otherwise, someone may "trick" an administrator into running an SQL query using a specially-constructed username, or be a nuisance due to SQL errors. Do you understand what I mean?

It's only that one instance in the merge users functionality.

Coolv

2007-05-12, 10:02 PM
That's good to hear. Smile
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > Archived Bug Reports > MyBB 1.2.3 > [F] Quote/Apostrophe in usernames