Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 1.6.3, 1.7
-
Component/s: Authentication
-
Labels:None
-
Database:MySQL
-
Affected Branches:MOODLE_16_STABLE, MOODLE_17_STABLE
-
Fixed Branches:MOODLE_16_STABLE, MOODLE_17_STABLE, MOODLE_18_STABLE
Description
In auth_sync_users() we user auth_ldap_bulk_insert() to insert temporary user data into the database. Depending on the underlying database, we insert one value at a time, or a number of them (1000 by default).
Inside the function, in order to quote all the values before sending them to the database, we execute the following code:
// make those values safe
array_map('addslashes', $users);
but this is wrong. array_map() doesn't modify the array argument, but instead it returns a modified array (see http://www.php.net/array_map). So the code should be:
// make those values safe
$users = array_map('addslashes', $users);
If there is a username with a single quote in it, the value is not scaped and the insert fails silently (we don't check the return code in the next execute_sql() call). This in turn makes a lot of external users 'inexistent' and their corresponding internal users are deleted from Moodle.
See http://moodle.org/mod/forum/discuss.php?d=59753 for more details on this.
By the way, currently auth_sync_users() just tests for MySQL and Postgresql explicitly, and set bulk_insert_records = 1 just for Postgresl, so Oracle and MS SQL get the defauknowledge
lt of 1000. I don't know if Oracle and MS SQL allow the extended insert syntax or not, so anyone who knows Oracle and MS SQL better should have a look at it.
Saludos. Iñaki.
Issue Links
| This issue is a clone of: | ||||
| MDL-8023 | CLONE -auth_ldap_bulk_insert() potential problem for MSSQL and Oracle |
|
|
|
> so Oracle and MS SQL get the defauknowledge lt of 1000.
This should read so Oracle and MS SQL get the defaut value of 1000
Saludos. Iñaki.