I ran across an interesting...."bug" last night. I have a member who used an apostrophe in their username when they signed up. If you click on the Members link at the top of the Forums and click on their username, a database error occurs which states:

Database error in vBulletin: Invalid SQL: SELECT COUNT(title) AS starts FROM thread WHERE postusername=''81 Great White' AND open!='10'
mysql error: You have an error in your SQL syntax near '81 Great White' AND open!='10'' at line 1
mysql error number: 1064
Date: Tuesday 17th of July 2001 11:51:46 PM
Script: /forums/member.php?action=getinfo&userid=790
Referer: http://corvetteactioncenter.com/forums/memberlist.php


Would it be possible run a JavaScript check at the time of registration to catch users who place punctuation in their usernames? I'm assuming the apostrophe is what is causing the syntax error?

You shouldn't be getting an error for this. The apostrophe should be handled by addslashes.

Have you edited your member.php file for any reason?

You can see it works here:
http://sitepointforums.com/member.php?action=getinfo&userid=10845

Yep. I have edited the member.php file. His username is the only username that errors like that. I removed the apostrophe from his username and now it's fine.

It would be better if you did something like:

addslashes($username) when ever you put it in a query...

Originally posted by wluke
It would be better if you did something like:

addslashes($username) when ever you put it in a query...

Wayne, could you elaborate? Thanks.

I think he means that you put in every mysql-query sth like this:

insert INTO blabla 'addslashes($username)',....

Almost -- you need to drop out of the query as addslashes is a PHP function:

$DB_site->query("SELECT * FROM thread WHERE postusername='".addslashes($username)."'");

True, Ed. I shouldn't write fast without thinking ;).

I need to finally get around to fix this problem and can someone tell me specifically what to look for in the member.php file and what to change/fix? I'm kind of confused by the different posts above. Thanks.

Just look for every mySQL-query in your member.php. In those queries, make sure that $username is surrounded by the addslashes function like ed mentioned.

The addslashes function will basically escape certain characters with a backslash, to make them work correctly in various functions.

Whenever you alter some text in a query, it's often a good idea to run the text through addslashes before or during the SQL query - either of these will do:$username = addslashes($username);
$DB_site->query("UPDATE something SET username='$username' WHERE bla='$moo'");or$DB_site->query("UPDATE something SET username='".addslashes($username)."' WHERE bla='$moo'");

Thanks everyone. :) Well...when I can actually turn my forums back on due to database problems at my hosting provider....someday....I'll be able to actually fix this. :rolleyes:

I found the section of code that is causing the problem, but everything I try, basically breaks the functioning of the hack so that the number returned is zero. The profile does display. Does anyone have any ideas how I can fix this?


// Find out how many threads this user has started - Threads Started Hack - 7-31-01
$startcount = $DB_site->query_first("SELECT COUNT(title) AS starts FROM thread WHERE postusername='".addslashes($userinfo[username])."' AND open!='10'");
$starts = $startcount[starts];
// end Find threads

I fixed it for you and you should really add an index on postusername if you are using that query alot.ALTER TABLE thread ADD index postusername (postusername)

Thanks Freddie!

Rob