Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: General / Previous versions
 possible BUG in user authentication -closed membes		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

Nooky
Starting Member

10 Posts
Posted - 08 December 2005 :  17:25:47  Show Profile
Hi,

I am not sure - just in case I am right..

figured out some strange behaviour of closed users that still surf the forum in a logged in status..

two points I figured out which might influence that:

First of all EVERYWHERE in forum code (i.e. in inc_functions fuction chkUsers) all Status checks are done like that:

strSql = strSql & " AND " & strMemberTablePrefix & "MEMBERS.M_STATUS = " & 1

Isn't that generally a wrong way of defining an SQL Query?

Shouldn't it be like:

strSql = strSql & " AND " & strMemberTablePrefix & "MEMBERS.M_STATUS = 1" ?

There are a lot places in the forum files where this is used.. (inc_top - in the login part etc).

So this is my first concern..

second of all:

there was another bugfix last year:

http://forum.snitz.com/forum/topic.asp?ARCHIVE=true&TOPIC_ID=28244

which lead us to include the following code into the inc_top file to avoid security issues with the cookies by replacing the names within the cookies..


strSql = "SELECT MEMBER_ID, M_NAME, M_PASSWORD " strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS " strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(Request.Cookies(strUniqueID & "User")("Name"), "SQLString") & "' " strSql = strSql & " AND M_PASSWORD = '" & ChkString(Request.Cookies(strUniqueID & "User")("Pword"), "SQLString") &"'" Set rsCheck = my_Conn.Execute(strSql)


..but this code only solves the cookie issue for other users which try to overtake another users identity (username). But what about a newly locked user?

Shouldn't there also be a part in this Query link " AND M_STATUS=1 " ?


let me know if I am completely wrong! Thank you

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 08 December 2005 :  17:29:22  Show Profile  Send ruirib a Yahoo! Message
What Snitz version are you using?

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Nooky
Starting Member

10 Posts
Posted - 08 December 2005 :  17:37:19  Show Profile
basic of 3.1 SR4 but with nearly all bugfixes and lot of own modification..

but i looked into later releases and the problem still persists.. with these 2 cases..
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 08 December 2005 :  17:46:46  Show Profile  Send ruirib a Yahoo! Message
Maybe you can tell where in the latest version this presumed problem persists?

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Nooky
Starting Member

10 Posts
Posted - 08 December 2005 :  18:00:35  Show Profile
can you generally tell me if the SQL statements are wrong? (1. Case) Or is it possible to write it in that way withour possible wrong-interpretation by the SQL server..

I will in parallel have a look at the versions..
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 08 December 2005 :  18:08:54  Show Profile  Send ruirib a Yahoo! Message
Did you try to Response.Write the SQL sent to the server in both situations, just to see if there are any differences?

Anyway, I would strongly advise you to upgrade to the latest version.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Nooky
Starting Member

10 Posts
Posted - 08 December 2005 :  18:29:05  Show Profile
of yourse i did a response rewrite and it looks the same..

but with a "xxxx" & 1 you treat the & 1 as you treat variables..
I was not sure..
but ok..

and with the missing m_status you do not see an issue?

Upgrading is no topic to me.. this would last years.. my forum is so much customized and hat so many additional functionality - it would last years to bring all this in a new version..
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 08 December 2005 :  18:52:34  Show Profile  Send ruirib a Yahoo! Message
The SQL sent to the database is the same, so...

Regarding the M_STATUS, you should indeed check it, to avoid locked users access.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.12 seconds. Powered By: Snitz Forums 2000 Version 3.4.07