InvalidParameterException Part 2

I am moving this everyone's very favorite topic here because the other topic was getting too lenghty for reading thru...

I am getting my brains tied up with the UserName sanitize string and the MySql mysql_real_escape_string () function

I want to try some tests to determine whether my assumptions are correct or smoke in the dark;;;-)

 

  • get_user_by_username() sanitizes username before hitting sql query

    when @ register elgg sanitizes username same way before proceeding

    function sanitise_string() simply calls -> mysql_real_escape_string()

        //user name search
            if($search_name)
                $area1 .= search_for_user($search_name, $limit, 0, "", false);

    uses a LIKE UserName to hit DB and succeeds and fetches the user icon

    get_user_by_username() cannnot find UserName by EXACT match and fails

     

     

     

  • I had someone on my site register with a similiar user name and they could not get to their profile.

    Thinking it may be something perculiar to our site, I registered the name here to see what happend

    Voula same result

  • Not your site

    Here is my test with mysql_real_escape_string()

    FBK_MySql_1_.php

    USERNM::(#jack?%-)
    ESCAPE::(#jack?%-)
    MATRIX::(#/j/a/c/k/#jack?%-/)
    ==>
    NOTEXI::(#/j/a/c/k/#jack?%-/):: ()
    MkDIR *** ERROR ***

    I am doing the same thing as Elgg.
    Sanitize on UserName
    Call Make Matrix from UserName
    Do MkDir for UserName's Matrix

    See the ERROR above --
    MkDir fails at the "?" in UserName

    I did say earlier that "...the UserName does look like it should be illegal "

    Now we know a little bit more...

  • I'm doing some further investigations into mysql_real_escape_string() what it really does -- to try and make some sense of the occassional and sometmes irrecoverable mess people get on their sites.
    Only three people posting here so far.. I suppose no other sites have this problem.. lol.. you lucky lot...

  • Happened to me as well. It screwed up site and some tools broke like river and blogs. I tracked it down in the db and deleted the offending file. What a mess though for just a stray file. I read that it happenes when you delete a user from db but i have never done that.

    elgg InvalidParameterException  InvalidParameterException  All files must have an owner!

  • Some updates

    FBK_MySql_1_.php

    USERNM::(~!@()_-+={[}];)
    ESCAPE::(~!@()_-+={[}];)
    MATRIX::(~/!/@/(/)/~!@()_-+={[}];/)
    ==> (~) (1)
    MkDIR OK
    ==> (!) (1)
    MkDIR OK
    ==> (@) (1)
    MkDIR OK
    ==> (() (1)
    MkDIR OK
    ==> ()) (1)
    MkDIR OK
    ==> (~!@()_-+={[}];) (1)
    MkDIR OK

    Seems the (offical) bad chars for linux filesystem names are :=
    ~`!@#^&*()_-+={[}]|\:;'\"'<,>.?/\$%
    I filtered the bad list down the above test, which worked OK.
    Now even though this truncated list, there are other security reasons
    for not allowing the full list above.
    So anyway.. If a UserName contains 'bad" chars, FileStore.php
    via the UserName Sanitize and Make Matrix will pass the UserName's
    directory naming as OK, but the MkDir will *fail and the UserName
    is left hanging => *no folder to store profile or group data.
    I guess that explains part of the problem...

  • Sorry; we could not find the specified profile.  it explains this anyway

  • goto yr data folder and look for

    #/j/a/c/k/#jack?%-/ folder

    you'll find an incomplete path

    nothing after
    #/j/a/c/k/

    so elgg cannot do your profile

  • I am getting same issue. I think we need to create a SQL script that will remove and Id's that dont have a username. I created a test server and recreated the problem. with one username and I found all that that specific user had and removed any and all entries and it fixed the problem. I have seen this twice once was a hic-up ether with MySQL during a member signing up or Elgg during that same time. Another is like what I am having now with a guy who USED to work with our site going in and removing 50 users via the database. Elgg still finds the fragments in the data base but cant locate the user information so if we can remove any calls to the ID with no users in the users database that should fix it.

  • InvalidParameterException


    All files must have an owner!
    AGAIN! why does this keep happening and how can I avoid it. It's something to do with the riverdashboard. If i disable it then no error. when enabled it shows this error.