Web Wiz - Green Windows Web Hosting - Celebrating 25 Years!
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - Bug: Apostrophes in Username
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Bug: Apostrophes in Username
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
djlurchg View Drop Down
Groupie
Groupie


Joined: 31 March 2006
Status: Offline
Points: 40 		Post Options Post Options   Thanks (0) Thanks(0)   Quote djlurchg Quote  Post ReplyReply Direct Link To This Post Topic: Bug: Apostrophes in Username
    Posted: 10 April 2006 at 5:51am
When I change the username from FOO to FOO'FOO the username gets changed to FOO''FOO.  This is either SQL Injection related or SQL String related.

OK, figured it out. Here's the code from admin_change_username.asp
  <code>
    strNewUsername = formatSQLInput(strNewUsername)
    <code>
     rsCommon.Fields("UserName") = strNewUsername
    <code>

This should be an easy fix. What you did is prepped the input for use in a SQL string where you have to replace single quotation marks with double quotation marks. That's all well and good if you are updating the values through a SQL statement. You obviously aren't in this case. You are opening a recordset and then setting it equal to the new username.

Is this a simple oversight, or should we be looking for other errors like this?

BTW, I'm glad no one has to maintain my code, they'd come to my house and wack me upside the head. Borg, you did a nice job of making the code readable. :)

PS: There is also a bug on the page in this javascript code:
alert('The member \'Foo'''' Foo\' has had their username changed to \'Foo'' Foo\'.');

I always enclose my javascript with double quotes. That would solve _part_ of this issue.




Edited by djlurchg - 10 April 2006 at 5:54am
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 10 April 2006 at 11:30am
Thank-you I shall look into these issues.
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.