Moodle

Locked fields data in user/edit.php is not quoted in SQL when updating database

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Duplicate
  • Affects Version/s: 1.5.2
  • Fix Version/s: 1.6.4, 1.7.1, 1.8
  • Component/s: Authentication
  • Labels:
    None
  • Environment:
    Linux
  • Database:
    PostgreSQL
  • Affected Branches:
    MOODLE_15_STABLE
  • Fixed Branches:
    MOODLE_16_STABLE, MOODLE_17_STABLE, MOODLE_18_STABLE

Description

When firstname and lastname are imported automatically from an LDAP directory, and those fields are locked in Moodle, then the user/edit.php file fails for names containing SQL special characters like ' (apostrophe). This results in a Could not update the user record (xx) error when the user updates his profile.

I'm using Postgresql as the backend, and here is the log from apache's error log for LDAP user Temp O'rary :

[client 10.0.0.221] SQL ERROR: syntax error at or near rary at character 55 in /usr/share/moodle/user/edit.php on line 200. STATEMENT: UPDATE mdl_user SET firstname = 'Temp', lastname = 'O'rary', email = 'temp@temp.com', emailstop = '0', icq = '', phone1 = '', phone2 = '', department = 'ou=Staff,dc=xyz,dc=org', address = '', city = 'te', country = 'IN', lang = 'en', url = '', description = 'te', mailformat = '1', maildigest = '0', maildisplay = '2', htmleditor = '1', autosubscribe = '1', timemodified = '1126763914', idnumber = '10947', msn = '', aim

= '', yahoo = '', skype = '', timezone = '99', trackforums = '0' WHERE id = '45', referer: http://xyz.org/user/edit.php?id=45&course=1

From what I can see in user/edit.php, the part that adds and strips slashes to $usernew does so before the locked field data items are replaced from $user. My patch therefore shifts the position of that code to after the locked fields replacement is done. Is the solution okay?

— /home/ducs/edit.php 2005-09-15 10:57:03.000000000 +0530

+++ edit.php 2005-09-15 11:39:32.000000000 +0530

@@ -108,17 +108,6 @@

}

}

  • foreach ($usernew as $key => $data) { - $usernew->$key = addslashes(clean_text(stripslashes(trim($usernew->$key)), FORMAT_MOODLE)); - }

-

  • $usernew->firstname = strip_tags($usernew->firstname);
  • $usernew->lastname = strip_tags($usernew->lastname);

-

  • if (isset($usernew->username)) { - $usernew->username = moodle_strtolower($usernew->username); - }

-

require_once($CFG->dirroot.'/lib/uploadlib.php');

$um = new upload_manager('imagefile',false,false,null,false,0,true,true);

@@ -140,6 +129,18 @@

unset($field);

unset($configvariable);

}

+

+ foreach ($usernew as $key => $data) { + $usernew->$key = addslashes(clean_text(stripslashes(trim($usernew->$key)), FORMAT_MOODLE)); + }

+

+ $usernew->firstname = strip_tags($usernew->firstname);

+ $usernew->lastname = strip_tags($usernew->lastname);

+

+ if (isset($usernew->username)) { + $usernew->username = moodle_strtolower($usernew->username); + }

+

if (find_form_errors($user, $usernew, $err, $um)) {

if (empty($err['imagefile']) && $usernew->picture = save_profile_image($user->id, $um,'users')) {

set_field('user', 'picture', $usernew->picture, 'id', $user->id); /// Note picture in DB

Issue Links

This issue has a clone:
MDL-6613 Apostrophe in surname prevents user updating profile Minor Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Martin Dougiamas added a comment -

From Sreepathi Pai (sree at donboscoit.ac.in) Thursday, 15 September 2005, 02:43 PM:

this is probably related to MDL-4023

From (penny at catalyst.net.nz) Monday, 12 December 2005, 11:19 AM:

assigning to martin langhoff

From Roger Spurgeon (toprow at gmail.com) Wednesday, 14 December 2005, 12:38 AM:

I don't feel this is related to MDL-4023. That one deals with apostrophes in usernames and passwords. This one is caused when a locked field such as Last Name (using LDAP auth) has an apostrophe in it. The user cannot edit their profile--when they try to save their changes, they get an error.

See also MDL-4317.

Show
Martin Dougiamas added a comment - From Sreepathi Pai (sree at donboscoit.ac.in) Thursday, 15 September 2005, 02:43 PM: this is probably related to MDL-4023 From (penny at catalyst.net.nz) Monday, 12 December 2005, 11:19 AM: assigning to martin langhoff From Roger Spurgeon (toprow at gmail.com) Wednesday, 14 December 2005, 12:38 AM: I don't feel this is related to MDL-4023. That one deals with apostrophes in usernames and passwords. This one is caused when a locked field such as Last Name (using LDAP auth) has an apostrophe in it. The user cannot edit their profile--when they try to save their changes, they get an error. See also MDL-4317.
Hide
Permalink
David Banach added a comment -

I still encounter this issue in moodle 1.6.1+
2006050511

using MYSQL 4.1.21

PHP 4.42

When I manually remove apostrophe from locked field (lastname) the user can edit profile without error.

Show
David Banach added a comment - I still encounter this issue in moodle 1.6.1+ 2006050511 using MYSQL 4.1.21 PHP 4.42 When I manually remove apostrophe from locked field (lastname) the user can edit profile without error.

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.