| Author |
 Topic  |
|
|
jlcox
Starting Member
7 Posts |
 Posted - 23 August 2001 : 19:32:14
|
If a user registers using a name containing a single-quote, e.g. "d'Arcy" a SQL syntax error will occur. One option is to check for single-quotes right off the bat and disallow this. another option is to allow it, but escape all single-quotes. The following fix takes the latter approach.
Fixes:
in inc_functions.asp
change line 1102 in function chkForumModerator from
strSql = strSql & " AND me.M_NAME = '" & fMember_Name & "'"
to
strSql = strSql & " AND me.M_NAME = '" & chkString(fMember_Name,"SQLString") & "'"
also change line 2022 in function getMemberNumber from
strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & fUser_Name & "'"
to
strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & chkString(fUser_Name,"SQLString") & "'"
in function chkUser the name and password are finally checked for single-quotes, closing the door well after the horse has left the barn
change
if rsCheck.BOF or rsCheck.EOF or not(ChkQuoteOk(fName)) or not(ChkQuoteOk(fPassword)) then
to
if rsCheck.BOF or rsCheck.EOF then
similar fix in chkUser2, line 946.
in register.asp
line 82, change
strSql = strSql & " WHERE M_NAME = '" & Trim(Request.Form("Name")) &"'"
to
strSql = strSql & " WHERE M_NAME = '" & chkString(Trim(Request.Form("Name")),"SQLString") &"'"
|
|
|
Da_Stimulator
DEV Team Forum Moderator
USA
3373 Posts |
Posted - 07 November 2001 : 17:02:16
|
Was this fixed? I remember someone with a quote (') in there name on one of my forums and no trouble....
---------------
-Da_Stimulator
Stims Snitz Test area - Running 3.3.03, 4 beta, and Huw's modified code
Need a Mod? Check out the Mod Resource |
 |
|
|
Da_Stimulator
DEV Team Forum Moderator
USA
3373 Posts |
Posted - 07 November 2001 : 23:01:04
|
fixed for 3.4
---------------
-Da_Stimulator
Stims Snitz Test area - Running 3.3.03, 4 beta, and Huw's modified code
Need a Mod? Check out the Mod Resource |
|
|
| |
Topic |
|
|
|
Forum Locked
Topic Locked
