Your Account Fix

Posted: Mon May 31, 2004 4:57 pm

Ok, this is probably a cheap and nasty way of doing it, but maybe Chatserv or Raven can make sure it doesnt open a can of worms. This now works on my site for all members:

Code:

cookiedecode($user); 


getusrinfo($user); 


$username1 = strtolower($userinfo['username']);


$username2 = strtolower($cookie[1]);


if ((is_user($user)) AND ($username1 == $username2) AND ($userinfo['user_password'] == $cookie[2])) {

let me know if this is ok please.

Thanks for the help

Posted: Mon May 31, 2004 5:04 pm

Your right on the mark with the cause we'll have to wait for a higher authority on the solution though. This must be a windows specific issue to have remained undetected for so long. Username I would expect to be case sensitive anywhere else.

registered · Posted: Mon May 31, 2004 5:04 pm

An case insensitive comparision would work on htat problem. One of us will provide a patch for you soon Smile

Posted: Mon May 31, 2004 5:07 pm

Well, duh. I didn't get to the second page before posting, that'll teach me to read on first Smile

The above is equal to:

Code:

if ((is_user($user)) AND (strtolower($userinfo[username]) == strtolower($cookie[1])) AND ($userinfo[user_password] == $cookie[2])) {

Posted: Mon May 31, 2004 5:13 pm

I knew there would be a cleaner way of doing it Laughing

Could this also explain why sometimes, a member tells me they have tried to change their details in the YA, but it wont save?
Is there also something we need to change in the accompanying "save" functions?

Posted: Mon May 31, 2004 5:28 pm

I'll look thru it and see.

Posted: Mon May 31, 2004 5:33 pm

Like i told six i thought everyone knew nicks were case sensitive, if you wish to modify the code to allow for case insensitive username then by all means do so but i suggest you don't alter the casing for the password, in my view not a good idea, on my sites i will leave both as is, no sense in making things easier for the script kiddies.

Posted: Mon May 31, 2004 5:37 pm

In the save user routine I find (this is from 7.3 but should be the same for most versions)

Code:

    cookiedecode($user);


    $check = $cookie[1];


    $check2 = $cookie[2];


    $sql = "SELECT user_id, user_password FROM ".$user_prefix."_users WHERE username='$check'";

Here's the problem, I'm not aware of a command that will do case insensitive comparisions in sql. For this reason I'll await for a reply from one of the other admins before going futher Smile

Posted: Mon May 31, 2004 5:47 pm

Yep, I wouldn't do the same for passwords, they need to be case sensitive, but the log in for members nicks must be case insensitive to start with, or they would not get in without being exact, so makes no sense to have some other parts case sensitive for this reason. As for those who log in not using the same case in the nicks, well, I have lots of them Confused

guess its just who I attract Shocked

Posted: Mon May 31, 2004 6:04 pm

Not sure if a mysql compare can be done but usually you can enter the data in any matter and extract it by adding a WHERE clause similar to WHERE LOWER(username) = '" . strtolower($username) . "', thing is many queries that involve the users table search by user_id, this would require editing them all, unless you only add this to the login function which could work.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

MySQL always does a case insensitive compare. In a where clause, where name="CHAtseRv" will match name="chatserv". You should not have to use a function in the where clause.

Posted: Mon May 31, 2004 6:23 pm

Ok, Thanks Raven. The odd ones that say they couldnt change their details in the YA module I mormally send to the profile in the forums, and that works, is funny tho how sometimes, it just wont add the changes to the database from the YA, and was wondering if this had something to do with it. It could have also been more to do with the original lines in the chng functions as well. Will wait and see how all goes from here.

Posted: Mon May 31, 2004 6:27 pm

BobMarion wrote:

Well, duh. I didn't get to the second page before posting, that'll teach me to read on first Smile

The above is equal to:

Code:

if ((is_user($user)) AND (strtolower($userinfo[username]) == strtolower($cookie[1])) AND ($userinfo[user_password] == $cookie[2])) {

This would be correct and as Chat said, do not do this to the password check Wink

Posted: Mon May 31, 2004 8:51 pm

What I did for NSNYA was to force the login to use the username stored in the db instead of the one typed in by the user. All things being equal, it forced the cookie to use the db's casing of the username instead of the user typed casing.

EDITED SPELLING

Posted: Mon May 31, 2004 8:54 pm

My login in function uses this:

Code:

                yacookie($setinfo[user_id], $setinfo[username], $new_pass, $setinfo[storynum], $setinfo[umode], $setinfo[uorder], $setinfo[thold], $setinfo[noscore], $setinfo[ublockon], $setinfo[theme], $setinfo[commentmax]);

This is why I never ran into the problem before since the cookie stored value always matched the db stored value. Many people complained that their usernames didn't match what they typed in to login until I explained it was for their protection Smile

Posted: Fri Jun 25, 2004 12:16 pm

None of the patches offered on this forum or (Sentinel) NSN's forum have worked for me and I have not been able to get a response from anyone. I myself am completely stumped.

I have NSNYA 720 3.2.0 A4 install as well as Sentinel 1.2 and everythings works as it should EXCEPT the navbar in NSNYA user control panel links to "Change Info", "Change Home" and "Comments Setup", clicking on these merely refresh the NSNYA (Your Accoun) page. If I comment out the includes function for Sentinel in the mainfile.php users are once again able to access the above mentioned links.

Please help.

Posted: Fri Jun 25, 2004 12:32 pm

I would get a similar problem on a site because my name on the db was stored as ChatServ and i logged in as chatserv

Posted: Fri Jun 25, 2004 12:37 pm

I tried that too, but it didn't make any difference. Are you succesfully using Sentinel and NSNYA on your site chatserv?

Posted: Fri Jun 25, 2004 1:00 pm

Yes, i use it on one of my sites, let's do the following, email me the index of the your account module and i'll check if it has any errors, i'll pm you the email addy.

Posted: Fri Jun 25, 2004 9:24 pm

Thanks chatserv for pointing me in the right direction.

Here is my fix that worked on PHP-Nuke 7.1 (patched 2.4) with NSN Sentinel 1.2.0 and NSN Your Account 720 3.2.0 A4:

find this line:

getusrinfo($user);
if (($userinfo[username] != $cookie[1]) AND ($userinfo[user_password] != $cookie[2])) {

in these 4 files:

modules/Your_Account/public/chngtheme.php
modules/Your_Account/public/editcomm.php
modules/Your_Account/public/edithome.php
modules/Your_Account/public/edituser.php

change in all 4 files to this:

cookiedecode($user);
getusrinfo($user);
if ((is_user($user)) AND ($userinfo[username] == $cookie[1]) AND ($userinfo[user_password] == $cookie[2])) {

Now the NSN Your Account module on my site is once again behaving as it was intended and NSN Sentinel is back on the job.

For those running the same setup as I am who want a quick easy fix I have created a quick patch that you can download Only registered users can see links on this board! Get registered or login!. This may work on other configurations but I haven't tested.