Details
-
Bug
-
Status: Unverified Fix
-
Resolution: Fixed
-
None
Description
I'm able to do STK > User/Group Tools > Restore Deleted Users > Select users to restore > (no name): > tick > Submit. That's possible because offering those options also offers posts where the username is empty. However, upon evaluating this user's choice it turns out the old name was (empty) and the new name should be the same (/stk/tools/usergroup/restore_deleted_users.php):
$non_conflicted = $this->_conflicted($selected_clean);
|
|
|
foreach ($non_conflicted as $user)
|
{
|
$this->_add_user_and_update_data($user, $user);
|
}
|
So, what's bad about that? Well, user_add() will return FALSE if the username is empty. That means this line:
<span class="syntaxcomment">// Add the user
|
$user_id = user_add($user_ary);
|
<span class="syntaxcomment">// Update posts table
|
$sql = 'UPDATE ' . POSTS_TABLE . '
|
SET poster_id = ' . (int) $user_id . ", post_username = ''
|
WHERE post_username = '" . $db->sql_escape($oldname) . "'";
|
$db->sql_query($sql);
|
My suggestions:
Check user_add() to actually return an ordinal higher than zero, otherwise throw error.
Secure the SQL query by adding 'AND poster_id= '. ANONYMOUS to make sure no already associated posts will be overwritten.
Secure the other SQL queries around the same way.
Noticed this when analyzing this topic: Posts table poster_id all set to 0