[Pushed] Searching for members with underscores in their name via memberlist.php fails
#1
As reported by Cloud on Discord.

The problem is line #225 of memberlist.php, which uses the variable $username_like_query, which has been escaped for a LIKE condition, whereas we need it to be escaped as an ordinary string.

A fix is to change that line from:
            $search_query .= " AND u.username='{$username_like_query}'";

to:
			$username_esc = $db->escape_string($search_username); 
			$search_query .= " AND u.username='{$username_esc}'";
Reply
#2
Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/4294

Thanks for contributing to MyBB!

Regards,
The MyBB Group
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)