Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-4073

Locked fields data in user/edit.php is not quoted in SQL when updating database

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 1.5.2
    • Fix Version/s: 1.6.4, 1.7.1, 1.8
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      Linux
    • Database:
      PostgreSQL
    • Affected Branches:
      MOODLE_15_STABLE
    • Fixed Branches:
      MOODLE_16_STABLE, MOODLE_17_STABLE, MOODLE_18_STABLE

      Description

      When firstname and lastname are imported automatically from an LDAP directory, and those fields are locked in Moodle, then the user/edit.php file fails for names containing SQL special characters like ' (apostrophe). This results in a Could not update the user record (xx) error when the user updates his profile.

      I'm using Postgresql as the backend, and here is the log from apache's error log for LDAP user Temp O'rary :

      [client 10.0.0.221] SQL ERROR: syntax error at or near rary at character 55 in /usr/share/moodle/user/edit.php on line 200. STATEMENT: UPDATE mdl_user SET firstname = 'Temp', lastname = 'O'rary', email = 'temp@temp.com', emailstop = '0', icq = '', phone1 = '', phone2 = '', department = 'ou=Staff,dc=xyz,dc=org', address = '', city = 'te', country = 'IN', lang = 'en', url = '', description = 'te', mailformat = '1', maildigest = '0', maildisplay = '2', htmleditor = '1', autosubscribe = '1', timemodified = '1126763914', idnumber = '10947', msn = '', aim

      = '', yahoo = '', skype = '', timezone = '99', trackforums = '0' WHERE id = '45', referer: http://xyz.org/user/edit.php?id=45&course=1

      From what I can see in user/edit.php, the part that adds and strips slashes to $usernew does so before the locked field data items are replaced from $user. My patch therefore shifts the position of that code to after the locked fields replacement is done. Is the solution okay?

      — /home/ducs/edit.php 2005-09-15 10:57:03.000000000 +0530

      +++ edit.php 2005-09-15 11:39:32.000000000 +0530

      @@ -108,17 +108,6 @@

      }

      }

      • foreach ($usernew as $key => $data) { - $usernew->$key = addslashes(clean_text(stripslashes(trim($usernew->$key)), FORMAT_MOODLE)); - }

      -

      • $usernew->firstname = strip_tags($usernew->firstname);
      • $usernew->lastname = strip_tags($usernew->lastname);

      -

      • if (isset($usernew->username)) { - $usernew->username = moodle_strtolower($usernew->username); - }

      -

      require_once($CFG->dirroot.'/lib/uploadlib.php');

      $um = new upload_manager('imagefile',false,false,null,false,0,true,true);

      @@ -140,6 +129,18 @@

      unset($field);

      unset($configvariable);

      }

      +

      + foreach ($usernew as $key => $data)

      { + $usernew->$key = addslashes(clean_text(stripslashes(trim($usernew->$key)), FORMAT_MOODLE)); + }

      +

      + $usernew->firstname = strip_tags($usernew->firstname);

      + $usernew->lastname = strip_tags($usernew->lastname);

      +

      + if (isset($usernew->username))

      { + $usernew->username = moodle_strtolower($usernew->username); + }

      +

      if (find_form_errors($user, $usernew, $err, $um)) {

      if (empty($err['imagefile']) && $usernew->picture = save_profile_image($user->id, $um,'users')) {

      set_field('user', 'picture', $usernew->picture, 'id', $user->id); /// Note picture in DB

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              skodak Petr Skoda
              Reporter:
              imported Imported
              Tester:
              Nobody Nobody
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                17/Jan/07