Moodle

• Type: Bug
• Status: Closed
• Priority: Trivial
• Resolution: Duplicate
• Affects Version/s: 1.5
• Fix Version/s: 1.6.4, 1.7.1, 1.8
• Component/s: General
• Labels:

  None
• Environment:

  All

During the use of Moodle at the Florence University (Computer Science Degree),

we meet the following problem:

the locked fields of user profile are not leaked for deleting MySql special characters: i.e., when a user changes his profile, locked fields are copied without applying the function addslashes. If one of such fields contains, for example, ' (apostrophe) or any other MySql special character, Moodle (version 1.5.x) gives an error message when tries to save data on the database. The file moodle/user/edit.php has to be edited to solve this problem as follow:

Original code :

// override locked values

if (!isadmin()) {

$fields = get_user_fieldnames();

$authconfig = get_config( 'auth/' . $user->auth );

foreach ($fields as $field) {

$configvariable = 'field_lock_' . $field;

if ( $authconfig->{$configvariable} === 'locked'

// ($authconfig->{ $configvariable} === 'unlockedifempty'

&& !empty($user->$field)) )

{if (!empty( $user->$field)) { // Original string $usernew->$field = $user->$field;}

}

}



Modified Code:

// override locked values

if (!isadmin()) {

$fields = get_user_fieldnames();

$authconfig = get_config( 'auth/' . $user->auth );

foreach ($fields as $field) {

$configvariable = 'field_lock_' . $field;

if ( $authconfig->{$configvariable} === 'locked'

// ($authconfig->{ $configvariable}} === 'unlockedifempty'

&& !empty($user->$field)) )

{if (!empty( $user->$field)) { // Modified String $usernew->$field = addslashes(clean_text(stripslashes(trim ($user->$field)), FORMAT_MOODLE)); }

}

• Assignee:

  Petr Škoda (skodak)

  Reporter:

  Imported

  Tester:

  Nobody

  Participants:

  Imported, Martin Dougiamas, Petr Škoda (skodak)

• Created:

  11/Nov/05 11:09 PM

  Updated:

  17/Dec/10 1:20 PM

  Resolved:

  11/Dec/06 2:08 AM