• Registered: 2008-03-04
  • Posts: 3

Topic: set_default_user & csrf_token

In the set_default_user function ... the random key generated for the csrf_token (the portion of that function which updates the online list). Sometimes the key generated includes single quotations, triggering a 1064 error in mysql ... I imagine due to the use of single quotes in the "VALUES" of the query string.

If the csrf value is escaped the error ceases. However, I don't know if that will adversly affect the other scripts (maybe when checking or comparing the values at another point, one value being escaped and the other not). Is it safe to use a db->escape on it?

--

Also, in the process of trying to figure out the problem I noticed the that "online" table's fields were not utf8, so I changed them to utf8 to see if that would rectify the situation. Should that table "not" be utf8? Do I have to change it back? The database was new for the installation, maybe something was missed in the install scripts.

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: set_default_user & csrf_token

A hash, which I believe the token is, should never include quotations. But I could be wrong there.

And the online table 'issue' has been rectified in an SVN update.

  • Registered: 2008-03-04
  • Posts: 3

Re: set_default_user & csrf_token

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'q,E)S,=O);Zj58Fv<K!')INH@W//s44TA\', 'http://localhost/punbb/' at line 1 (Errno: 1064)

Failed query: REPLACE INTO online (user_id, ident, logged, csrf_token, prev_url) VALUES(1, '127.0.0.1', 1204618569, 'e6c7c64706ff5dd2b6bc76a52d5bf7115a518097F(-Yu'q,E)S,=O);Zj58Fv<K!')INH@W//s44TA\', 'http://localhost/punbb/')

I don't know why I'm getting that, but I am.

Somehow that's completely fucked.

I came back because it also showed up in the cookie_login function. I remedied the problem with another escape, but it seems as though the problem is the custom random_key function. However, as I look at the code there's nothing about the hash generation portion of that code which would insert single quotes. So I haven't the foggiest what could be the issue.

Maybe I should update it to the latest revision, nuke my database and installation. I think I'll go do that ... and will see if the problem still exists. It probably won't, but maybe it's my computer itself.

  • Registered: 2008-03-04
  • Posts: 3

Re: set_default_user & csrf_token

It's not duplicable anymore.

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: set_default_user & csrf_token

Probably a corruption somewhere or so.