I am moving this everyone's very favorite topic here because the other topic was getting too lenghty for reading thru...
I am getting my brains tied up with the UserName sanitize string and the MySql mysql_real_escape_string () function
I want to try some tests to determine whether my assumptions are correct or smoke in the dark;;;-)
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
get_user_by_username() sanitizes username before hitting sql query
when @ register elgg sanitizes username same way before proceeding
function sanitise_string() simply calls -> mysql_real_escape_string()
//user name search
if($search_name)
$area1 .= search_for_user($search_name, $limit, 0, "", false);
uses a LIKE UserName to hit DB and succeeds and fetches the user icon
get_user_by_username() cannnot find UserName by EXACT match and fails
I had someone on my site register with a similiar user name and they could not get to their profile.
Thinking it may be something perculiar to our site, I registered the name here to see what happend
Voula same result
Not your site
Here is my test with mysql_real_escape_string()
FBK_MySql_1_.php
I am doing the same thing as Elgg.
Sanitize on UserName
Call Make Matrix from UserName
Do MkDir for UserName's Matrix
See the ERROR above --
MkDir fails at the "?" in UserName
I did say earlier that "...the UserName does look like it should be illegal "
Now we know a little bit more...
I'm doing some further investigations into mysql_real_escape_string() what it really does -- to try and make some sense of the occassional and sometmes irrecoverable mess people get on their sites.
Only three people posting here so far.. I suppose no other sites have this problem.. lol.. you lucky lot...
Happened to me as well. It screwed up site and some tools broke like river and blogs. I tracked it down in the db and deleted the offending file. What a mess though for just a stray file. I read that it happenes when you delete a user from db but i have never done that.
elgg InvalidParameterException InvalidParameterException All files must have an owner!
Some updates
FBK_MySql_1_.php
Sorry; we could not find the specified profile. it explains this anyway
goto yr data folder and look for
I am getting same issue. I think we need to create a SQL script that will remove and Id's that dont have a username. I created a test server and recreated the problem. with one username and I found all that that specific user had and removed any and all entries and it fixed the problem. I have seen this twice once was a hic-up ether with MySQL during a member signing up or Elgg during that same time. Another is like what I am having now with a guy who USED to work with our site going in and removing 50 users via the database. Elgg still finds the fragments in the data base but cant locate the user information so if we can remove any calls to the ID with no users in the users database that should fix it.
InvalidParameterException
All files must have an owner!
AGAIN! why does this keep happening and how can I avoid it. It's something to do with the riverdashboard. If i disable it then no error. when enabled it shows this error.
- Previous
- 1
- 2
- 3
- 4
- 5
- Next
You must log in to post replies.