11 Oct
2008
11 Oct
'08
2:09 p.m.
Author: cfinck
Date: Sat Oct 11 09:09:38 2008
New Revision: 36716
URL: http://svn.reactos.org/svn/reactos?rev=36716&view=rev
Log:
The Wiki treats underscores and spaces in usernames as the same thing, so it can come to
collisions if we have two usernames only differing in these aspects.
Since we have lots of usernames with spaces and underscores nowadays, this is a
compromise:
- Check if a username only differing in underscores vs. spaces already exists before
registering a similar username
- Make sure the Wiki database only contains usernames with spaces
Modified:
trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php
trunk/web/reactos.org/htdocs/roscms/logon/user_register.php
Modified: trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php
URL:
http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/roscms/inc/…
==============================================================================
--- trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php [iso-8859-1] (original)
+++ trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php [iso-8859-1] Sat Oct 11
09:09:38 2008
@@ -49,7 +49,7 @@
" WHERE m.map_roscms_userid = u.user_id " .
" AND m.map_subsys_name = 'wiki' " .
" AND p.user_id = m.map_subsys_userid " .
- " AND (u.user_name != p.user_name OR " .
+ " AND (REPLACE(u.user_name, '_', ' ') != p.user_name OR
" .
" u.user_email != p.user_email OR " .
" u.user_fullname != p.user_real_name) ";
$query_set = mysql_query($query) or die("DB error (subsys_wiki #1)");
@@ -115,12 +115,13 @@
$roscms_user_fullname,
$wiki_user_id)
{
+ $wiki_sql_user_name = mysql_real_escape_string(str_replace("_", "
", $roscms_user_name));
+
/* Make sure that the email address and/or user name are not already in
use in wiki */
$query = "SELECT COUNT(*) AS inuse " .
" FROM " . SUBSYS_WIKI_DBNAME . ".user " .
- " WHERE (LOWER(user_name) = LOWER('" .
- mysql_real_escape_string($roscms_user_name) . "') OR " .
+ " WHERE (LOWER(user_name) = LOWER('" . $wiki_sql_user_name .
"') OR " .
" LOWER(user_email) = LOWER('" .
mysql_real_escape_string($roscms_user_email) . "')) " .
" AND user_id <> $wiki_user_id ";
@@ -137,7 +138,7 @@
/* Now, make sure that info in wiki matches info in roscms */
$query = "UPDATE " . SUBSYS_WIKI_DBNAME . ".user " .
" SET user_name = '" .
- mysql_real_escape_string($roscms_user_name) . "', " .
+ $wiki_sql_user_name . "', " .
" user_email = '" .
mysql_real_escape_string($roscms_user_email) . "', " .
" user_real_name = '" .
@@ -153,53 +154,17 @@
$roscms_user_email,
$roscms_user_fullname)
{
- $default_options = "quickbar=1\n" .
- "underline=1\n" .
- "hover=1\n" .
- "cols=80\n" .
- "rows=25\n" .
- "searchlimit=20\n" .
- "contextlines=5\n" .
- "contextchars=50\n" .
- "skin=roscms\n" .
- "math=1\n" .
- "rcdays=7\n" .
- "rclimit=50\n" .
- "highlightbroken=1\n" .
- "stubthreshold=0\n" .
- "previewontop=1\n" .
- "editsection=1\n" .
- "editsectiononrightclick=0\n" .
- "showtoc=1\n" .
- "showtoolbar=1\n" .
- "date=0\n" .
- "searchNs-1=0\n" .
- "searchNs0=1\n" .
- "searchNs1=0\n" .
- "searchNs2=0\n" .
- "searchNs3=0\n" .
- "searchNs4=0\n" .
- "searchNs5=0\n" .
- "searchNs6=0\n" .
- "searchNs7=0\n" .
- "searchNs8=0\n" .
- "searchNs9=1\n" .
- "searchNs10=0\n" .
- "searchNs11=1\n" .
- "rememberpassword=0\n";
-
$query = "INSERT INTO " . SUBSYS_WIKI_DBNAME . ".user " .
" (user_name, user_real_name, user_password, " .
" user_newpassword, user_email, user_options, " .
- " user_touched, user_token)" .
- "VALUES ('" . mysql_real_escape_string($roscms_user_name) .
"', " .
+ " user_touched)" .
+ "VALUES (REPLACE('" .
mysql_real_escape_string($roscms_user_name) . "', '_', ' '),
" .
" '" . mysql_real_escape_string($roscms_user_fullname) .
"', " .
- " '*', " .
- " '*', " .
+ " '', " .
+ " '', " .
" '" . mysql_real_escape_string($roscms_user_email) .
"', " .
- " '$default_options', " .
- " DATE_FORMAT(NOW(), '%Y%m%d%H%i%s'), " .
- " '********************************')";
+ " '', " .
+ " DATE_FORMAT(NOW(), '%Y%m%d%H%i%s'));";
mysql_query($query) or die("DB error (subsys_wiki #10)");
/* Finally, insert a row in the mapping table */
@@ -238,8 +203,8 @@
/* That failed. Let's try to match on user name then */
$query = "SELECT user_id " .
" FROM " . SUBSYS_WIKI_DBNAME . ".user " .
- " WHERE LOWER(user_name) = LOWER('" .
- mysql_real_escape_string($roscms_user_name) . "')";
+ " WHERE LOWER(user_name) = LOWER(REPLACE('" .
+ mysql_real_escape_string($roscms_user_name) . "', '_',
' '))";
$wiki_name_set = mysql_query($query)
or die("DB error (subsys_wiki #6)");
if ($wiki_name_row = mysql_fetch_array($wiki_name_set))
@@ -362,7 +327,7 @@
" WHERE m.map_roscms_userid = u.user_id " .
" AND m.map_subsys_name = 'wiki' " .
" AND w.user_id = m.map_subsys_userid " .
- " AND (u.user_name != w.user_name OR " .
+ " AND (REPLACE(u.user_name, '_', ' ') != w.user_name OR
" .
" u.user_email != w.user_email OR " .
" u.user_fullname != w.user_real_name) ";
$query_set = mysql_query($query) or die("DB error (subsys_wiki #12)");
Modified: trunk/web/reactos.org/htdocs/roscms/logon/user_register.php
URL:
http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/roscms/logo…
==============================================================================
--- trunk/web/reactos.org/htdocs/roscms/logon/user_register.php [iso-8859-1] (original)
+++ trunk/web/reactos.org/htdocs/roscms/logon/user_register.php [iso-8859-1] Sat Oct 11
09:09:38 2008
@@ -59,9 +59,9 @@
<?php
if
(isset($_POST['registerpost']) && $_POST['username'] !=
"" && strlen($_POST['username']) >=
$rdf_register_user_name_min) {
// check
if another account with the same username already exists
-
$sql_exist_name = "SELECT user_name
+
$sql_exist_name = "SELECT user_name
FROM users
-
WHERE user_name =
'".mysql_real_escape_string(strtolower($_POST['username']))."'
+
WHERE REPLACE(user_name, '_', ' ') = LOWER(REPLACE('" .
mysql_real_escape_string($_POST['username'])."', '_', '
'))
LIMIT 1;";
$query_exist_name = mysql_query($sql_exist_name);
$result_exist_name = mysql_fetch_array($query_exist_name);