Print Page | Close Window

Bug: Apostrophes in Username Printed From: Web Wiz Forums Category: Web Wiz Web App Support Forums Forum Name: Web Wiz Forums Forum Description: Support forum for Web Wiz Forums application. URL: https://forums.webwiz.net/forum_posts.asp?TID=19223 Printed Date: 12 April 2026 at 2:22pm Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com Topic: Bug: Apostrophes in Username Posted By: djlurchg Subject: Bug: Apostrophes in Username Date Posted: 10 April 2006 at 5:51am When I change the username from FOO to FOO'FOO the username gets changed to FOO''FOO.  This is either SQL Injection related or SQL String related. OK, figured it out. Here's the code from admin_change_username.asp   <code>     strNewUsername = formatSQLInput(strNewUsername)     <code>      rsCommon.Fields("UserName") = strNewUsername     <code> This should be an easy fix. What you did is prepped the input for use in a SQL string where you have to replace single quotation marks with double quotation marks. That's all well and good if you are updating the values through a SQL statement. You obviously aren't in this case. You are opening a recordset and then setting it equal to the new username. Is this a simple oversight, or should we be looking for other errors like this? BTW, I'm glad no one has to maintain my code, they'd come to my house and wack me upside the head. Borg, you did a nice job of making the code readable. :) PS: There is also a bug on the page in this javascript code: alert('The member \'Foo'''' Foo\' has had their username changed to \'Foo'' Foo\'.'); I always enclose my javascript with double quotes. That would solve _part_ of this issue. Replies: Posted By: WebWiz-Bruce Date Posted: 10 April 2006 at 11:30am Thank-you I shall look into these issues.

Print Page | Close Window Forum Software by Web Wiz Forums® version 12.08 - https://www.webwizforums.com Copyright ©2001-2026 Web Wiz Ltd. - https://www.webwiz.net