MyBB Community Forums

MyBB Community Forums > 1.8 Support > General Support > Literal in a username
Full Version: Literal in a username
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

HLFadmin

2021-06-30, 01:30 PM
It is possible for someone to register a username containing a literal, as in user'96. In at least one instance a plugin query results in an error when an apostrophe appears in the username.

SELECT uid, username FROM mybb_users WHERE username LIKE 'bi%' AND username NOT IN ('user'96')

Is there a MyBB function which sanitizes usernames for queries, or is use of a literal not a good idea but not currently filtered out during registration?

Crazycat

2021-06-30, 02:53 PM
In direct query, use \ to escape cars : SELECT uid, username FROM mybb_users WHERE username LIKE 'bi%' AND username NOT IN ('user\'96')

In MyBB, use $db->escape_string() : https://docs.mybb.com/1.8/development/pl...ape_string

HLFadmin

2021-06-30, 04:36 PM
Simultaneous reply from you and plugin author answers my question.
The plugin is fixed by the author with a simple code assignment.
Thank you for your help.

Each day's adventure in MyBB brings me closer to finally taking the plunge in learning how to code php.
[Image: exploits_of_a_mom.png]
https://xkcd.com/327/

Big Grin
MyBB Community Forums > 1.8 Support > General Support > Literal in a username