Bug: Apostrophes in Username : Thank-you I shall look into these...

Mon, 10 Apr 2006 11:30:27 +0000

Author: WebWiz-Bruce
Subject: 19223
Posted: 10 April 2006 at 11:30am

Thank-you I shall look into these issues.

Bug: Apostrophes in Username : When I change the username...

Mon, 10 Apr 2006 05:51:18 +0000

Author: djlurchg
Subject: 19223
Posted: 10 April 2006 at 5:51am

When I change the username from FOO to FOO'FOO the username gets changed to FOO''FOO. This is either SQL Injection related or SQL String related.

OK, figured it out. Here's the code from admin_change_username.asp


    strNewUsername = formatSQLInput(strNewUsername)
    
     rsCommon.Fields("UserName") = strNewUsername
    

This should be an easy fix. What you did is prepped the input for use in a SQL string where you have to replace single quotation marks with double quotation marks. That's all well and good if you are updating the values through a SQL statement. You obviously aren't in this case. You are opening a recordset and then setting it equal to the new username. 

Is this a simple oversight, or should we be looking for other errors like this?

BTW, I'm glad no one has to maintain my code, they'd come to my house and wack me upside the head. Borg, you did a nice job of making the code readable. :)

PS: There is also a bug on the page in this javascript code:
alert('The member \'Foo'''' Foo\' has had their username changedto \'Foo'' Foo\'.');

I always enclose my javascript with double quotes. That would solve _part_ of this issue.




Edited by djlurchg - 10 April 2006 at 5:54am

Web Wiz Support and Community Forums : Bug: Apostrophes in Username

Bug: Apostrophes in Username : Thank-you I shall look into these...

Bug: Apostrophes in Username : When I change the username...