-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apostrophe in member name #286
Comments
Regarding the first issue – the missing member from the front-end – there seems to be a mismatch between the handles: The Member: Username field uses this SQL: SELECT `entry_id` FROM `tbl_entries_data_104` WHERE `handle` = 'director-s-uncut' LIMIT 1 The handle stored in the database is |
This is how the handle is built when creating an user: Lang::createHandle(trim($data)) This is how it's created when trying to login: Lang::createHandle($username)
|
The only thing I can think of that might result in different apostrophe handling, are different transliteration. I deactivated the German localisation and recreated the user with the same effect – so that shouldn't be the cause. |
@nilshoerrmann add this line here $data = array_map(array('MySQL', 'cleanValue'), $data); Same fix would be needed here as well. The $data array is imploded without being properly escaped. BTW, this makes it possible to do SQL injection... |
No, only |
Any idea regarding the different handle generation? |
@brendo and @michael-e: What's the reason behind using the $member_id = Symphony::Database()->fetchVar('entry_id', 0, sprintf(
$this->get('id'), Lang::createHandle($username)
)); See: https://github.com/symphonycms/members/blob/master/fields/field.memberusername.php#L84-L87 Wouldn't that possibly lead to member mismatches because different names might result in identical handles? Why doesn't members use the actual provided |
No it shouldn't because we check this when creating a new username. @nitriques is correct, the underlying Identity class should be escaping for SQL injection.
We often prefer handle because generally it's shorter (perf) and free from punctuation. That said, I'm a bit unsure how the handle could be two different things, |
Okay, that's good to know. Still, I don't understand why Members created different handles for the same user. This happens with localisation extensions disabled so there shouldn't be any differences in the transliteration settings. I was thinking that maybe one part uses |
Summary
|
I've fixed this.
It's not a bug. There are sadly no nice way to
Let's continue this in #288 |
This commit fixes a couple of possible SQLi errors. Fixes #286
We have a newly created user that's called
Director's uncut
. While front-end creation worked perfectly, it's neither possible to log into the front-end nor to filter by this name in the backend:The SQL error reads
and highlights the following line:
This is obviously invalid.
We are using latest
integration
with latest Symphony (2.6.11).Any ideas how to fix this?
/cc @brendo
The text was updated successfully, but these errors were encountered: