#514 DBAUTH queries require set ordering for arguments

User_Authentication
closed
Reini Urban
5
2012-10-11
2005-11-17
Matt Brown
No

The DBAUTH queries used for Database backed user
authentication require the parameters (username,
password, etc) to be specified in a particular order
that is not documented anywhere except for the source
code.

For example:

DBAUTH_AUTH_CHECK = "SELECT count(*) as ok FROM
wiki_users WHERE password = '$password' AND userid =
'$userid'"

Does not work but

DBAUTH_AUTH_CHECK = "SELECT count(*) as ok FROM
wiki_users WHERE userid = '$userid' AND password =
'$password'"

does

The problematic line in this case is line 175 of
lib/WikiUser/PearDb.php which contains the following
statement

$okay = $dbh->getOne(sprintf($this->_authselect,

$dbh->quote($submitted_password),$dbh->quote($this->_userid)));

From this it is clear that the positional requirement
comes from the simple sprintf statement.

This should be fixed so that $username and $password
can come anywhere in the DBAUTH string and be correctly
replaced. Perhaps using str_replace or similar.

Discussion

  • Reini Urban
    Reini Urban
    2006-03-19

    Logged In: YES
    user_id=13755

    I'll check in a fix to be truly position independent on
    config.ini settings

     
  • Reini Urban
    Reini Urban
    2006-03-19

    Logged In: YES
    user_id=13755

    sprintf( %1s, %2s, ... in ->prepare fixed that.
    Thanks.
    To be position independent was the reason to intruduce
    our own prepare with sprintf. But I forgot to actually
    use the %<n>s trick.

    Fixed in current CVS