The Arcive of Official vBulletin Modifications Site.

Disco_Dave · #1 09-16-2014, 12:13 PM

Hi Guys

Receiving database errors, when some registers with ' in the email address. Would anyone know how to fix this?

PHP Code:


			
Database error in vBulletin 4.2.2:



Invalid SQL:

SELECT * FROM vbuserregcode WHERE userregemail = 'wendy_o'reilly@inwebmail.com';



MySQL Error   : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'reilly@inwebmail.com'' at line 1

Error Number  : 1064

Request Date  : Monday, September 15th 2014 @ 04:56:37 PM

Error Date    : Monday, September 15th 2014 @ 04:56:38 PM

Script        : http://nirc.co.uk/joiningthenirc.php

Referrer      : http://nirc.co.uk/joiningthenirc.php

IP Address    : 69.12.84.199

Username      : Unregistered

Classname     : vB_Database_MySQLi

MySQL Version :

Dave

Dave · #2 09-16-2014, 12:19 PM

Which plugin are you using which alters the registration process? I think we have a SQL injection vulnerability here.

Disco_Dave · #3 09-16-2014, 12:22 PM

It's that one, that makes you register your email before you can sign up. Give me a sec and I'll find it.

this one? https://vborg.vbsupport.ru/showthread.php?t=294164

Dave · #4 09-16-2014, 12:41 PM

Go to your plugins in the admincp and look for the register_start hook of that plugin.

Find:

Code:

$emailalreadyused = $db->query_read("SELECT * FROM " . TABLE_PREFIX . "userregcode WHERE userregemail = '$email'");

Replace with:

Code:

$emailalreadyused = $db->query_read("SELECT * FROM " . TABLE_PREFIX . "userregcode WHERE userregemail = '" . $db->escape_string($email) . "'");

Disco_Dave · #5 09-16-2014, 12:43 PM

I'll give that a go now mate cheers

fxdigi-cash · #6 09-16-2014, 12:52 PM

possibly you have an old version of this mod!! because I can't find the table vbuserregcode

I think you need to uninstall the mod and install the latest version of it.

I found similar issue someone else had here:

http://www.vbulletin.com/forum/forum...database-error

Dave · #7 09-16-2014, 12:58 PM

Quote:

Originally Posted by fxdigi-cash

possibly you have an old version of this mod!! because I can't find the table vbuserregcode

I think you need to uninstall the mod and install the latest version of it.

I found similar issue someone else had here:

http://www.vbulletin.com/forum/forum...database-error

I'm pretty sure vb is his table_prefix.

Disco_Dave · #8 09-16-2014, 12:58 PM

May be I'm reading it wrong....But is that line not already the same as you provided?

PHP Code:


			
$navbits = construct_navbits(array('' => 'Verify Email')); 
$navbar = render_navbar_template($navbits); 
            $vbulletin->input->clean_array_gpc('r', array( 
        'email' => TYPE_STR, 
        'emailconfirm' => TYPE_STR, 
        'emailconfirmationcode' => TYPE_STR, 
        'codehasbeenset' => TYPE_BOOL, 
        'so' => TYPE_BOOL, 
        'emailcode' => TYPE_STR, 
        'ihaveit' => TYPE_BOOL, 
        'reorder' => TYPE_BOOL, 
    'month' => TYPE_UINT, 
    'year'  => TYPE_UINT, 
    'day'   => TYPE_UINT, 
        COOKIE_PREFIX . 'notcoppa' =>  TYPE_STR 

    )); 

if($vbulletin->options['usecoppa']) 
{ 
$current['year'] = date('Y'); 
$current['month'] = date('m'); 
$current['day'] = date('d'); 



if(!isset($_COOKIE[COOKIE_PREFIX . 'notcoppa']) AND $vbulletin->GPC['month'] != 0 AND $vbulletin->GPC['day'] != 0 AND $vbulletin->GPC['year'] != 0 AND (mktime(0, 0, 0, $vbulletin->GPC['month'], $vbulletin->GPC['day'], $vbulletin->GPC['year']) <= mktime(0, 0, 0, $current['month'], $current['day'], $current['year'] - 13))) 
{ 
vbsetcookie('notcoppa', $vbulletin->GPC['month'] . '-' . $vbulletin->GPC['day'] . '-' . $vbulletin->GPC['year'], 1); 
} 

$coppaage = ($_COOKIE[COOKIE_PREFIX . 'coppaage']) ? $_COOKIE[COOKIE_PREFIX . 'coppaage'] : $_COOKIE[COOKIE_PREFIX . 'notcoppa'] ; 

if($coppaage) 
{ 
$dob = explode('-', $coppaage); 
$month = ( $dob[0] != 0) ? $dob[0] : -1; 
$day = ( $dob[1] != 0 ) ? $dob[1] : -1; 
$year = ( $dob[2] != 0 ) ? $dob[2] : -1; 
} 
} 
$so = (isset($vbulletin->GPC['so'])) ? $vbulletin->GPC['so'] : 0 ; 
$email = strtolower($vbulletin->GPC['email']); 
$emailcode= $vbulletin->GPC['emailcode'] ; 
$emailconfirm= $vbulletin->GPC['emailconfirm'] ; 
$emailconfirmationcode = $vbulletin->GPC['emailconfirmationcode']; 
$codehasbeenset = $vbulletin->GPC['codehasbeenset']; 
$reorder = $vbulletin->GPC['reorder']; 
$ihaveit = $vbulletin->GPC['ihaveit']; 

$show['reorder'] = false; 
$show['emailerrors'] = false; 

if(isset($email) AND $email != "" AND !empty($email)) 
{ 

    if(!simpleping($email)) 
    { 
        $show['emailerrors'] = true; 
        $errorlist .= "<li>".$vbphrase['pingerror']."</li>"; 
    } 

    $emailalreadyused = $db->query_read("SELECT * FROM " . TABLE_PREFIX . "userregcode WHERE userregemail = '$email'"); 

    if ($db->num_rows($emailalreadyused) ) 
    { 
        $show['emailerrors'] = true; 
        $show['reorder'] = true; 
        $errorlist .= "<li>".$vbphrase['emailalreadyusednotconfirmed']."</li>"; 
        $userfetched = $db->fetch_row($emailalreadyused); 
        if($userfetched[3] >= $vbulletin->options['email_verfication']) 
        { 
             eval(standard_error(fetch_error('thiswasusedmorethanenough'))); 
        } 
    } 

    $emailalreadyregisterd = $db->query_read("SELECT * FROM " . TABLE_PREFIX . "user WHERE email = '$email'"); 

    if ($db->num_rows($emailalreadyregisterd)) 
    { 
        $show['emailerrors'] = true; 
        $errorlist .= "<li>".$vbphrase['emailalreadyregisterd']."</li>"; 
    } 
} 

if( $so != 1 AND ( ($show['emailerrors'] AND $codehasbeenset != 0) OR ( !isset($email) OR $email == "" OR empty($email) ) ) AND !$reorder AND !$ihaveit )
{ 
    $codehasbeenset = 0;  
    $templater = vB_Template::create('reg_ver_start'); 
    $templater->register('header', $header); 
    $templater->register('navbar', $navbar);  
    $templater->register('email', $email);  
    $templater->register('emailconfirm', $emailconfirm);  
    $templater->register('headinclude', $headinclude);  
    $templater->register('footer', $footer);  
    $templater->register('errorlist', $errorlist); 
    $templater->register('reorder', $reorder); 
    $templater->register('ihaveit', $ihaveit); 
    $templater->register('codehasbeenset ', $codehasbeenset ); 
    $templater->register('jqueryurl', $jqueryurl); 
    $reg_ver_start = $templater->render();   
    vB_Template::preRegister('register', array('reg_ver_start' => $reg_ver_start)); 
    $vbulletin->templatecache['register'] = '$reg_ver_start';

Disco_Dave · #9 09-16-2014, 01:00 PM

Quote:

Originally Posted by fxdigi-cash

possibly you have an old version of this mod!! because I can't find the table vbuserregcode

I think you need to uninstall the mod and install the latest version of it.

I found similar issue someone else had here:

http://www.vbulletin.com/forum/forum...database-error

Yes I posted this on here some time ago also, I did remove the mod when vb.org pulled it because of my thread. I will try what you have suggested..

Dave · #10 09-16-2014, 01:01 PM

I downloaded the latest version, but it's not safe:
It has a check to see if it's a string, then there's a strtolower function around it. Then the variable is being used in the query without being sanitized.

You should change the following:

HTML Code:

$email = strtolower($vbulletin->GPC['email']);

to

HTML Code:

$email = $db->escape_string(strtolower($vbulletin->GPC['email']));

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04997 seconds Memory Usage 2,332KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (2)bbcode_code (2)bbcode_html (2)bbcode_php (2)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (2)post_thanks_box_bit (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (2)post_thanks_postbit (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

Благодарность от:
Disco_Dave

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!