Author: cfinck Date: Sat Oct 11 09:09:38 2008 New Revision: 36716

URL: http://svn.reactos.org/svn/reactos?rev=36716&view=rev Log: The Wiki treats underscores and spaces in usernames as the same thing, so it can come to collisions if we have two usernames only differing in these aspects. Since we have lots of usernames with spaces and underscores nowadays, this is a compromise:

- Check if a username only differing in underscores vs. spaces already exists before registering a similar username - Make sure the Wiki database only contains usernames with spaces

Modified: trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php trunk/web/reactos.org/htdocs/roscms/logon/user_register.php

Modified: trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php URL: http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/roscms/inc/s... ============================================================================== --- trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php [iso-8859-1] (original) +++ trunk/web/reactos.org/htdocs/roscms/inc/subsys_wiki.php [iso-8859-1] Sat Oct 11 09:09:38 2008 @@ -49,7 +49,7 @@ " WHERE m.map_roscms_userid = u.user_id " . " AND m.map_subsys_name = 'wiki' " . " AND p.user_id = m.map_subsys_userid " . - " AND (u.user_name != p.user_name OR " . + " AND (REPLACE(u.user_name, '_', ' ') != p.user_name OR " . " u.user_email != p.user_email OR " . " u.user_fullname != p.user_real_name) "; $query_set = mysql_query($query) or die("DB error (subsys_wiki #1)"); @@ -115,12 +115,13 @@ $roscms_user_fullname, $wiki_user_id) { + $wiki_sql_user_name = mysql_real_escape_string(str_replace("_", " ", $roscms_user_name)); + /* Make sure that the email address and/or user name are not already in use in wiki */ $query = "SELECT COUNT(*) AS inuse " . " FROM " . SUBSYS_WIKI_DBNAME . ".user " . - " WHERE (LOWER(user_name) = LOWER('" . - mysql_real_escape_string($roscms_user_name) . "') OR " . + " WHERE (LOWER(user_name) = LOWER('" . $wiki_sql_user_name . "') OR " . " LOWER(user_email) = LOWER('" . mysql_real_escape_string($roscms_user_email) . "')) " . " AND user_id <> $wiki_user_id "; @@ -137,7 +138,7 @@ /* Now, make sure that info in wiki matches info in roscms */ $query = "UPDATE " . SUBSYS_WIKI_DBNAME . ".user " . " SET user_name = '" . - mysql_real_escape_string($roscms_user_name) . "', " . + $wiki_sql_user_name . "', " . " user_email = '" . mysql_real_escape_string($roscms_user_email) . "', " . " user_real_name = '" . @@ -153,53 +154,17 @@ $roscms_user_email, $roscms_user_fullname) { - $default_options = "quickbar=1\n" . - "underline=1\n" . - "hover=1\n" . - "cols=80\n" . - "rows=25\n" . - "searchlimit=20\n" . - "contextlines=5\n" . - "contextchars=50\n" . - "skin=roscms\n" . - "math=1\n" . - "rcdays=7\n" . - "rclimit=50\n" . - "highlightbroken=1\n" . - "stubthreshold=0\n" . - "previewontop=1\n" . - "editsection=1\n" . - "editsectiononrightclick=0\n" . - "showtoc=1\n" . - "showtoolbar=1\n" . - "date=0\n" . - "searchNs-1=0\n" . - "searchNs0=1\n" . - "searchNs1=0\n" . - "searchNs2=0\n" . - "searchNs3=0\n" . - "searchNs4=0\n" . - "searchNs5=0\n" . - "searchNs6=0\n" . - "searchNs7=0\n" . - "searchNs8=0\n" . - "searchNs9=1\n" . - "searchNs10=0\n" . - "searchNs11=1\n" . - "rememberpassword=0\n"; - $query = "INSERT INTO " . SUBSYS_WIKI_DBNAME . ".user " . " (user_name, user_real_name, user_password, " . " user_newpassword, user_email, user_options, " . - " user_touched, user_token)" . - "VALUES ('" . mysql_real_escape_string($roscms_user_name) . "', " . + " user_touched)" . + "VALUES (REPLACE('" . mysql_real_escape_string($roscms_user_name) . "', '_', ' '), " . " '" . mysql_real_escape_string($roscms_user_fullname) . "', " . - " '*', " . - " '*', " . + " '', " . + " '', " . " '" . mysql_real_escape_string($roscms_user_email) . "', " . - " '$default_options', " . - " DATE_FORMAT(NOW(), '%Y%m%d%H%i%s'), " . - " '********************************')"; + " '', " . + " DATE_FORMAT(NOW(), '%Y%m%d%H%i%s'));"; mysql_query($query) or die("DB error (subsys_wiki #10)");

/* Finally, insert a row in the mapping table */ @@ -238,8 +203,8 @@ /* That failed. Let's try to match on user name then */ $query = "SELECT user_id " . " FROM " . SUBSYS_WIKI_DBNAME . ".user " . - " WHERE LOWER(user_name) = LOWER('" . - mysql_real_escape_string($roscms_user_name) . "')"; + " WHERE LOWER(user_name) = LOWER(REPLACE('" . + mysql_real_escape_string($roscms_user_name) . "', '_', ' '))"; $wiki_name_set = mysql_query($query) or die("DB error (subsys_wiki #6)"); if ($wiki_name_row = mysql_fetch_array($wiki_name_set)) @@ -362,7 +327,7 @@ " WHERE m.map_roscms_userid = u.user_id " . " AND m.map_subsys_name = 'wiki' " . " AND w.user_id = m.map_subsys_userid " . - " AND (u.user_name != w.user_name OR " . + " AND (REPLACE(u.user_name, '_', ' ') != w.user_name OR " . " u.user_email != w.user_email OR " . " u.user_fullname != w.user_real_name) "; $query_set = mysql_query($query) or die("DB error (subsys_wiki #12)");

Modified: trunk/web/reactos.org/htdocs/roscms/logon/user_register.php URL: http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/roscms/logon... ============================================================================== --- trunk/web/reactos.org/htdocs/roscms/logon/user_register.php [iso-8859-1] (original) +++ trunk/web/reactos.org/htdocs/roscms/logon/user_register.php [iso-8859-1] Sat Oct 11 09:09:38 2008 @@ -59,9 +59,9 @@ <?php if (isset($_POST['registerpost']) && $_POST['username'] != "" && strlen($_POST['username']) >= $rdf_register_user_name_min) { // check if another account with the same username already exists - $sql_exist_name = "SELECT user_name + $sql_exist_name = "SELECT user_name FROM users - WHERE user_name = '".mysql_real_escape_string(strtolower($_POST['username']))."' + WHERE REPLACE(user_name, '_', ' ') = LOWER(REPLACE('" . mysql_real_escape_string($_POST['username'])."', '_', ' ')) LIMIT 1;"; $query_exist_name = mysql_query($sql_exist_name); $result_exist_name = mysql_fetch_array($query_exist_name);