Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001317TestLinkUsers and Rightspublic2008-01-23 00:072008-11-07 19:46
Reportertuergeist 
Assigned Tomhavlat 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Fixed in Version1.8 Beta 1 
Summary0001317: Generation of APIKey impossible due to erroneous SQL Query
DescriptionUser Management -> View Users:
After clicking on APIKey, generate (http://localhost/testlink/lib/usermanagement/usersView.php?user=1&operation=gen_api_key [^])

an erroneous SQL Query is submitted to DB and an error is thrown by MySQL

INSERT INTO users (script_key) VALUES ('aecfe63c6e66b3e4360173740d804bb4 ') WHERE id=2
Additional InformationVersion: SNAPSHOT-08-01-22

solution:
UPDATE users SET script_key='aecfe63c6e66b3e4360173740d804bb4' WHERE id=2

1. trim key (no trailing whitespaces)
2. UPDATE instead of insert
TagsNo tags attached.
Database (MySQL,Postgres,etc)
Browser
PHP Version
TestCaseID
QA Team - Task Workflow Status
Attached Files

- Relationships

-  Notes
(0003005)
tuergeist
2008-01-23 00:13

in lib/API/APIKey.php - line 22ff - method addKeyForUser($userid)

it should be:
$query = "UPDATE users SET script_key='" .
                $this->generate_key() .
                "' WHERE id='".intval($userid)."'";
to
1. prevent an SQL injection
2. UPDATE instead of insert
(0003049)
mhavlat (reporter)
2008-01-24 22:33

Thanks, for great reporting.

- Issue History
Date Modified Username Field Change
2008-01-23 00:07 tuergeist New Issue
2008-01-23 00:13 tuergeist Note Added: 0003005
2008-01-23 04:07 schlundus Status new => assigned
2008-01-23 04:07 schlundus Assigned To => mhavlat
2008-01-24 22:33 mhavlat Status assigned => resolved
2008-01-24 22:33 mhavlat Fixed in Version => next development version (1.8 Beta1)
2008-01-24 22:33 mhavlat Resolution open => fixed
2008-01-24 22:33 mhavlat Note Added: 0003049
2008-06-03 16:49 mhavlat Fixed in Version next development version (1.8 Beta1) => 1.8 Beta 1
2008-11-07 19:46 mhavlat Status resolved => closed



Copyright © 2000 - 2020 MantisBT Team
Powered by Mantis Bugtracker