While trying to get ActiveDirectory integration working, I noticed that get_or_create_user failed
with a MySQL syntax error.
Enabling query logging on the server turned out this to be sent to MySQL:
INSERT INTO `auth_user` (`username`, `first_name`, `last_name`, `email`, `password`,
`is_staff`, `is_active`, `is_superuser`, `last_login`, `date_joined`) VALUES ('pilif', 'Philip',
'Hofstetter', ("'phofstetter@sensational.ch'",), '!', 0, 1, 0, '2009-05-04 10:15:23', '2009-05-04
10:15:23')
aside of the fact that the email address isn't valid, shouldn't the value be escaped before being
sent to the database?
While this is certainly hard to exploit, sending non-escaped SQL leading to syntax errors to the
database feels wrong.
Also, what could cause this kind of query to be generated?
The AD is a default AD domain with the addition of the Exchange 2007 schema changes.
What version are you running?
1.0rc1 (updating from beta got me to rc1 - clean installing rc1 resulted in #1102)
What steps will reproduce the problem?
1. configure AD integration
2. try to login
What is the expected output? What do you see instead?
Expexted: user is logged in.
Actual: User is not logged in. No information in error log, but error message posted above in
MySQL query log
What operating system are you using? What browser?
Ubuntu Hardy. Firefox and Safari - doesn't matter though
Philip
