Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Bug Reports
Author Message
MickP
Hangin' Around


Joined: Sep 17, 2003
Posts: 31
Location: Australia

PostPosted: Mon May 31, 2004 4:57 pm Reply with quote

Ok, this is probably a cheap and nasty way of doing it, but maybe Chatserv or Raven can make sure it doesnt open a can of worms. This now works on my site for all members:
Code:
cookiedecode($user); 

getusrinfo($user);
$username1 = strtolower($userinfo['username']);
$username2 = strtolower($cookie[1]);
if ((is_user($user)) AND ($username1 == $username2) AND ($userinfo['user_password'] == $cookie[2])) {


let me know if this is ok please.

Thanks for the help
 
View user's profile Send private message Visit poster's website
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Mon May 31, 2004 5:04 pm Reply with quote

Your right on the mark with the cause we'll have to wait for a higher authority on the solution though. This must be a windows specific issue to have remained undetected for so long. Username I would expect to be case sensitive anywhere else.
 
View user's profile Send private message
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Mon May 31, 2004 5:04 pm Reply with quote

An case insensitive comparision would work on htat problem. One of us will provide a patch for you soon Smile

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
BobMarion
PostPosted: Mon May 31, 2004 5:07 pm Reply with quote

Well, duh. I didn't get to the second page before posting, that'll teach me to read on first Smile

The above is equal to:
Code:
if ((is_user($user)) AND (strtolower($userinfo[username]) == strtolower($cookie[1])) AND ($userinfo[user_password] == $cookie[2])) {
 
MickP
PostPosted: Mon May 31, 2004 5:13 pm Reply with quote

Rolling Eyes I knew there would be a cleaner way of doing it Laughing

Could this also explain why sometimes, a member tells me they have tried to change their details in the YA, but it wont save?
Is there also something we need to change in the accompanying "save" functions?
 
BobMarion
PostPosted: Mon May 31, 2004 5:28 pm Reply with quote

I'll look thru it and see.
 
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Mon May 31, 2004 5:33 pm Reply with quote

Like i told six i thought everyone knew nicks were case sensitive, if you wish to modify the code to allow for case insensitive username then by all means do so but i suggest you don't alter the casing for the password, in my view not a good idea, on my sites i will leave both as is, no sense in making things easier for the script kiddies.
 
View user's profile Send private message Visit poster's website
BobMarion
PostPosted: Mon May 31, 2004 5:37 pm Reply with quote

In the save user routine I find (this is from 7.3 but should be the same for most versions)
Code:
    cookiedecode($user);

    $check = $cookie[1];
    $check2 = $cookie[2];
    $sql = "SELECT user_id, user_password FROM ".$user_prefix."_users WHERE username='$check'";


Here's the problem, I'm not aware of a command that will do case insensitive comparisions in sql. For this reason I'll await for a reply from one of the other admins before going futher Smile
 
MickP
PostPosted: Mon May 31, 2004 5:47 pm Reply with quote

Yep, I wouldn't do the same for passwords, they need to be case sensitive, but the log in for members nicks must be case insensitive to start with, or they would not get in without being exact, so makes no sense to have some other parts case sensitive for this reason. As for those who log in not using the same case in the nicks, well, I have lots of them Confused guess its just who I attract Shocked
 
chatserv
PostPosted: Mon May 31, 2004 6:04 pm Reply with quote

Not sure if a mysql compare can be done but usually you can enter the data in any matter and extract it by adding a WHERE clause similar to WHERE LOWER(username) = '" . strtolower($username) . "', thing is many queries that involve the users table search by user_id, this would require editing them all, unless you only add this to the login function which could work.
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Mon May 31, 2004 6:12 pm Reply with quote

MySQL always does a case insensitive compare. In a where clause, where name="CHAtseRv" will match name="chatserv". You should not have to use a function in the where clause.
 
View user's profile Send private message
MickP
PostPosted: Mon May 31, 2004 6:23 pm Reply with quote

Ok, Thanks Raven. The odd ones that say they couldnt change their details in the YA module I mormally send to the profile in the forums, and that works, is funny tho how sometimes, it just wont add the changes to the database from the YA, and was wondering if this had something to do with it. It could have also been more to do with the original lines in the chng functions as well. Will wait and see how all goes from here.
 
Raven
PostPosted: Mon May 31, 2004 6:27 pm Reply with quote

BobMarion wrote:
Well, duh. I didn't get to the second page before posting, that'll teach me to read on first Smile

The above is equal to:
Code:
if ((is_user($user)) AND (strtolower($userinfo[username]) == strtolower($cookie[1])) AND ($userinfo[user_password] == $cookie[2])) {
This would be correct and as Chat said, do not do this to the password check Wink
 
BobMarion
PostPosted: Mon May 31, 2004 8:51 pm Reply with quote

What I did for NSNYA was to force the login to use the username stored in the db instead of the one typed in by the user. All things being equal, it forced the cookie to use the db's casing of the username instead of the user typed casing.

EDITED SPELLING


Last edited by BobMarion on Mon May 31, 2004 8:56 pm; edited 1 time in total 
BobMarion
PostPosted: Mon May 31, 2004 8:54 pm Reply with quote

My login in function uses this:
Code:
                yacookie($setinfo[user_id], $setinfo[username], $new_pass, $setinfo[storynum], $setinfo[umode], $setinfo[uorder], $setinfo[thold], $setinfo[noscore], $setinfo[ublockon], $setinfo[theme], $setinfo[commentmax]);


This is why I never ran into the problem before since the cookie stored value always matched the db stored value. Many people complained that their usernames didn't match what they typed in to login until I explained it was for their protection Smile
 
CurtisH
Life Cycles Becoming CPU Cycles


Joined: Mar 15, 2004
Posts: 638
Location: West Branch, MI

PostPosted: Fri Jun 25, 2004 12:16 pm Reply with quote

None of the patches offered on this forum or (Sentinel) NSN's forum have worked for me and I have not been able to get a response from anyone. I myself am completely stumped.

I have NSNYA 720 3.2.0 A4 install as well as Sentinel 1.2 and everythings works as it should EXCEPT the navbar in NSNYA user control panel links to "Change Info", "Change Home" and "Comments Setup", clicking on these merely refresh the NSNYA (Your Accoun) page. If I comment out the includes function for Sentinel in the mainfile.php users are once again able to access the above mentioned links.

Please help.

_________________
Those who dream by day are cognizant of many things which escape those who dream only by night. ~Poe 
View user's profile Send private message Visit poster's website Yahoo Messenger
chatserv
PostPosted: Fri Jun 25, 2004 12:32 pm Reply with quote

I would get a similar problem on a site because my name on the db was stored as ChatServ and i logged in as chatserv
 
CurtisH
PostPosted: Fri Jun 25, 2004 12:37 pm Reply with quote

I tried that too, but it didn't make any difference. Are you succesfully using Sentinel and NSNYA on your site chatserv?
 
chatserv
PostPosted: Fri Jun 25, 2004 1:00 pm Reply with quote

Yes, i use it on one of my sites, let's do the following, email me the index of the your account module and i'll check if it has any errors, i'll pm you the email addy.
 
CurtisH
PostPosted: Fri Jun 25, 2004 9:24 pm Reply with quote

Thanks chatserv for pointing me in the right direction.

Here is my fix that worked on PHP-Nuke 7.1 (patched 2.4) with NSN Sentinel 1.2.0 and NSN Your Account 720 3.2.0 A4:

find this line:

getusrinfo($user);
if (($userinfo[username] != $cookie[1]) AND ($userinfo[user_password] != $cookie[2])) {


in these 4 files:

modules/Your_Account/public/chngtheme.php
modules/Your_Account/public/editcomm.php
modules/Your_Account/public/edithome.php
modules/Your_Account/public/edituser.php

change in all 4 files to this:


cookiedecode($user);
getusrinfo($user);
if ((is_user($user)) AND ($userinfo[username] == $cookie[1]) AND ($userinfo[user_password] == $cookie[2])) {

Now the NSN Your Account module on my site is once again behaving as it was intended and NSN Sentinel is back on the job.

For those running the same setup as I am who want a quick easy fix I have created a quick patch that you can download Only registered users can see links on this board! Get registered or login!. This may work on other configurations but I haven't tested.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Bug Reports

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©