In some circumstances a manually entered or an automatically generated client name will erroneously be reported as "already in use" and the user requested to make another choice.
This arises because the function hosting_client_sanitize which checks the proposed name and strips out invalid characters etc is happy to accept an underscore as a valid character in the name. However, all checks to the database use the construct "WHERE uname LIKE '%s'", and the underscore is a wildcard representing any single character in SQL queries.
This could be fixed by having the SQL statements expressed as "WHERE uname = '%s'" (which is probably a bit more efficient) or by having the function hosting_client_sanitize strip underscores as well.
Comments
Comment #1
Steven Jones CreditAttribution: Steven Jones commentedWe should just do the LIKE query correctly, we should escape our input using something like:
Comment #2
Steven Jones CreditAttribution: Steven Jones commentedThanks for the bug report, pushed a fix to both 6.x-2.x and 6.x-1.x.