Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] Quote/Apostrophe in usernames
#1
A small thing - one of my users had an apostrophe (') in their username. I had trouble dealing with the Merge Users function with this user. Renaming the user without the (') worked however.

Not a big thing, but I thought I'd just report it in Toungue
Thanks again for the wonderful BB!
#2
I cannot replicate this
#3
Confused

Just tried: Made a user test's and a user test2

Merged test's into test, after the confirmation, I get this:
Quote:MySQL error: 1064
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's'' at line 1
Query: UPDATE mybb_forums SET lastposter='test2' WHERE lastposter='test's'

Also noticed a similar issue with theme names, but then, that could be a problem with the theme Toungue
#4
Use this:


Attached Files
.php   users.php (Size: 73.15 KB / Downloads: 256)
#5
This bug has been fixed in the latest code.

Please note the latest code is not live on the site or for download. An update will be released which contains this fix.
#6
Isn't it possible for someone to take advantage of using quotes and single quotes in user names and use an SQL exploit? You have to fix all instances of the username being unescaped when being used in a query to the database. Otherwise, someone may "trick" an administrator into running an SQL query using a specially-constructed username, or be a nuisance due to SQL errors. Do you understand what I mean?
#7
Possible, but 99% unlikely. First of all, you need to be an administrator, and second you'd have to find an exploit that'll fit into the max length of a Username and third the administrator would have to be not knowledgeable enough to not even ban the user in the first place.
#8
Coolv Wrote:Isn't it possible for someone to take advantage of using quotes and single quotes in user names and use an SQL exploit? You have to fix all instances of the username being unescaped when being used in a query to the database. Otherwise, someone may "trick" an administrator into running an SQL query using a specially-constructed username, or be a nuisance due to SQL errors. Do you understand what I mean?

It's only that one instance in the merge users functionality.
#9
That's good to hear. Smile


Forum Jump:


Users browsing this thread: 1 Guest(s)