Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL error when user tries to change password #456

Closed
svenseeberg opened this issue Feb 18, 2021 · 2 comments
Closed

SQL error when user tries to change password #456

svenseeberg opened this issue Feb 18, 2021 · 2 comments

Comments

@svenseeberg
Copy link
Contributor

On Postfixadmin 3.3.7, a user trying to change the mailbox password causes the following error message:

Invalid query: SQLSTATE[42000]: Syntax error or access violation: 1103 Incorrect table name '' caused by UPDATE ``mailbox`` SET  password = :password  WHERE username = :where, referer: https://example.com/postfixadmin/users/password.php

It seems that $this->key_table in

postfixadmin/model/Login.php

Line 113 in 1a9d984

$result = db_update($this->key_table, 'username', $username, $set);
contains the string "`mailbox`", including backticks. I have not yet evaluated where the wrong string comes from. Replacing the parameter value with a literal mailbox string fixes the issue (which is currently my workaround in place).

I can see that the Login.php changed heavily since the 3.3.7 tag, but the line causing the error seems to be the same.
@svenseeberg
Copy link
Contributor Author

I found the cause: the db_update() function calls the table_by_key() function for the table name. However, in the Login.php the $this->table_key attribute is used as parameter for the db_update() function. And $this->table_key already is the table name that was already modified by the table_by_key() function.

DavidGoodwin added a commit that referenced this issue Feb 19, 2021
@DavidGoodwin
Merge pull request #457 from verdigado/bugfix/user-password-change
cc8cfff 
Change Login changePassword, fixes #456
DavidGoodwin pushed a commit that referenced this issue Feb 19, 2021
@svenseeberg @DavidGoodwin
Change Login changePassword, fixes #456
7fd3d30 
* The db_udpate function already sets backticks around the table
  name, which results and error name if the string passed as argument
  for the table name already contains backticks.

Signed-off-by: Sven Seeberg <mail@sven-seeberg.de>
@DavidGoodwin
Copy link
Member

thanks for finding the bug @svenseeberg

@DavidGoodwin DavidGoodwin mentioned this issue Feb 24, 2021
Closed
@DavidGoodwin DavidGoodwin mentioned this issue Aug 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DavidGoodwin @svenseeberg