[cfinck] 36716: The Wiki treats underscores and spaces in usernames as the same thing, so it can come to collisions if we have two usernames only differing in these aspects. Since we have lots of usernames with spaces and underscores nowadays, this is a compromise: - Check if a username only differing in underscores vs. spaces already exists before registering a similar username - Make sure the Wiki database only contains usernames with spaces - Ros-diffs

11 Oct 2008

Author: cfinck
Date: Sat Oct 11 09:09:38 2008
New Revision: 36716

URL: http://svn.reactos.org/svn/reactos?rev=36716&view=rev
Log:
The Wiki treats underscores and spaces in usernames as the same thing, so it can come to
collisions if we have two usernames only differing in these aspects.
Since we have lots of usernames with spaces and underscores nowadays, this is a
compromise:

- Check if a username only differing in underscores vs. spaces already exists before
registering a similar username
- Make sure the Wiki database only contains usernames with spaces

Modified:
    trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php
    trunk/web/reactos.org/htdocs/roscms/logon/user_register.php

Modified: trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php
URL:
http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/roscms/inc/…
==============================================================================

--- trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php [iso-8859-1] (original)
+++ trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php [iso-8859-1] Sat Oct 11
09:09:38 2008
@@ -49,7 +49,7 @@
            " WHERE m.map_roscms_userid = u.user_id " .
            "   AND m.map_subsys_name = 'wiki' " .
            "   AND p.user_id = m.map_subsys_userid " .
-           "   AND (u.user_name != p.user_name OR " .
+           "   AND (REPLACE(u.user_name, '_', ' ') != p.user_name OR
" .
            "        u.user_email != p.user_email OR " .
            "        u.user_fullname != p.user_real_name) ";
   $query_set = mysql_query($query) or die("DB error (subsys_wiki #1)");
@@ -115,12 +115,13 @@
                                  $roscms_user_fullname,
                                  $wiki_user_id)
 {
+	$wiki_sql_user_name = mysql_real_escape_string(str_replace("_", " ",
$roscms_user_name));
+	
   /* Make sure that the email address and/or user name are not already in
      use in wiki */
   $query = "SELECT COUNT(*) AS inuse " .
            "  FROM " . SUBSYS_WIKI_DBNAME .  ".user " .
-           " WHERE (LOWER(user_name) = LOWER('" .
-           mysql_real_escape_string($roscms_user_name) . "') OR " .
+           " WHERE (LOWER(user_name) = LOWER('" . $wiki_sql_user_name .
"') OR " .
            "        LOWER(user_email) = LOWER('" .
            mysql_real_escape_string($roscms_user_email) . "')) " .
            "   AND user_id <> $wiki_user_id ";
@@ -137,7 +138,7 @@
   /* Now, make sure that info in wiki matches info in roscms */
   $query = "UPDATE " . SUBSYS_WIKI_DBNAME .  ".user " .
            "   SET user_name = '" .
-                   mysql_real_escape_string($roscms_user_name) . "', " .
+                   $wiki_sql_user_name . "', " .
            "       user_email = '" .
                    mysql_real_escape_string($roscms_user_email) . "', " .
            "       user_real_name = '" .
@@ -153,53 +154,17 @@
                                    $roscms_user_email,
                                    $roscms_user_fullname)
 {
-  $default_options = "quickbar=1\n" .
-                     "underline=1\n" .
-                     "hover=1\n" .
-                     "cols=80\n" .
-                     "rows=25\n" .
-                     "searchlimit=20\n" .
-                     "contextlines=5\n" .
-                     "contextchars=50\n" .
-                     "skin=roscms\n" .
-                     "math=1\n" .
-                     "rcdays=7\n" .
-                     "rclimit=50\n" .
-                     "highlightbroken=1\n" .
-                     "stubthreshold=0\n" .
-                     "previewontop=1\n" .
-                     "editsection=1\n" .
-                     "editsectiononrightclick=0\n" .
-                     "showtoc=1\n" .
-                     "showtoolbar=1\n" .
-                     "date=0\n" .
-                     "searchNs-1=0\n" .
-                     "searchNs0=1\n" .
-                     "searchNs1=0\n" .
-                     "searchNs2=0\n" .
-                     "searchNs3=0\n" .
-                     "searchNs4=0\n" .
-                     "searchNs5=0\n" .
-                     "searchNs6=0\n" .
-                     "searchNs7=0\n" .
-                     "searchNs8=0\n" .
-                     "searchNs9=1\n" .
-                     "searchNs10=0\n" .
-                     "searchNs11=1\n" .
-                     "rememberpassword=0\n";
-
   $query = "INSERT INTO " . SUBSYS_WIKI_DBNAME . ".user " .
            "       (user_name, user_real_name, user_password, " .
            "        user_newpassword, user_email, user_options, " .
-           "        user_touched, user_token)" .
-           "VALUES ('" . mysql_real_escape_string($roscms_user_name) . 
"', " .
+           "        user_touched)" .
+           "VALUES (REPLACE('" .
mysql_real_escape_string($roscms_user_name) .  "', '_', ' '),
" .
            "        '" . mysql_real_escape_string($roscms_user_fullname) .
"', " .
-           "        '*', " .
-           "        '*', " .
+           "        '', " .
+           "        '', " .
            "        '" . mysql_real_escape_string($roscms_user_email) .
"', " .
-           "        '$default_options', " .
-           "        DATE_FORMAT(NOW(), '%Y%m%d%H%i%s'), " .
-           "        '********************************')";
+           "        '', " .
+           "        DATE_FORMAT(NOW(), '%Y%m%d%H%i%s'));";
   mysql_query($query) or die("DB error (subsys_wiki #10)");
 
   /* Finally, insert a row in the mapping table */
@@ -238,8 +203,8 @@
       /* That failed. Let's try to match on user name then */
       $query = "SELECT user_id " .
                "  FROM " . SUBSYS_WIKI_DBNAME .  ".user " .
-               " WHERE LOWER(user_name) = LOWER('" .
-               mysql_real_escape_string($roscms_user_name) . "')";
+               " WHERE LOWER(user_name) = LOWER(REPLACE('" .
+               mysql_real_escape_string($roscms_user_name) . "', '_',
' '))";
       $wiki_name_set = mysql_query($query)
                      or die("DB error (subsys_wiki #6)");
       if ($wiki_name_row = mysql_fetch_array($wiki_name_set))
@@ -362,7 +327,7 @@
            " WHERE m.map_roscms_userid = u.user_id " .
            "   AND m.map_subsys_name = 'wiki' " .
            "   AND w.user_id = m.map_subsys_userid " .
-           "   AND (u.user_name != w.user_name OR " .
+           "   AND (REPLACE(u.user_name, '_', ' ') != w.user_name OR
" .
            "        u.user_email != w.user_email OR " .
            "        u.user_fullname != w.user_real_name) ";
   $query_set = mysql_query($query) or die("DB error (subsys_wiki #12)");

Modified: trunk/web/reactos.org/htdocs/roscms/logon/user_register.php
URL:
http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/roscms/logo…
==============================================================================
--- trunk/web/reactos.org/htdocs/roscms/logon/user_register.php [iso-8859-1] (original)
+++ trunk/web/reactos.org/htdocs/roscms/logon/user_register.php [iso-8859-1] Sat Oct 11
09:09:38 2008
@@ -59,9 +59,9 @@
 								<?php
 									if (isset($_POST['registerpost']) && $_POST['username']
!= "" && strlen($_POST['username']) >=
$rdf_register_user_name_min) {
 										// check if another account with the same username already exists
-										$sql_exist_name = "SELECT user_name  
+										$sql_exist_name = "SELECT user_name 
 															FROM users 
-															WHERE user_name =
'".mysql_real_escape_string(strtolower($_POST['username']))."'
+															WHERE REPLACE(user_name, '_', ' ') =
LOWER(REPLACE('" .
mysql_real_escape_string($_POST['username'])."', '_', '
'))
 															LIMIT 1;";
 										$query_exist_name = mysql_query($sql_exist_name);
 										$result_exist_name = mysql_fetch_array($query_exist_name);


    