I noticed the following error was triggered on my site (site specific info has been removed):
Severity: Error (3)
Type: php
Request URI: user/login
Referrer URI:
User: Anonymous (0)
Link:
Message:
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1582
Incorrect parameter count in the call to native function 'LOWER': SELECT name
FROM {users} WHERE LOWER(mail) = LOWER(:name_0, :name_1); Array
(
[:name_0] => 1
[:name_1] => 1
)
in logintoboggan_user_login_validate() (line 551 of /sites/all/modules/logintoboggan/logintoboggan.module).
---
My guess is that it is a sign of someone trying to hack into the site. If so, should the error be caught? If not, do you know what might be happening?
Comment | File | Size | Author |
---|---|---|---|
#12 | interdiff-2471309-8-12.txt | 721 bytes | dsdeiz |
#12 | logintoboggan-check-valid-name-2366235-12.patch | 704 bytes | dsdeiz |
#8 | logintoboggan-ensure-user-name-is-string-2366235-4.patch | 1005 bytes | blasthaus |
Comments
Comment #1
bunthorne CreditAttribution: bunthorne commentedI got it too
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1582 Incorrect parameter count in the call to native function 'LOWER': SELECT name FROM {users} WHERE LOWER(mail) = LOWER(:name_0, :name_1); Array ( [:name_0] => test3 [:name_1] => test ) in logintoboggan_user_login_validate() (line 551 [...]
Comment #2
Kristen PolI've seen these recently. The code doesn't have the same structure. Here are the queries with LOWER in them in the code:
I don't know how they are injecting a name_0 and name_1 in there.
Comment #3
Kristen PolCan the data be checked to see if it's an array before using it?
e.g. instead of:
use:
Comment #4
blasthaus CreditAttribution: blasthaus commentedThis would best be done at the field level with a validate function on 'name', but for now
the validate function should at least throw an error.
Comment #5
Morn CreditAttribution: Morn commentedIn the log I have:
Warning: mb_strlen() expects parameter 1 to be string, array given in drupal_strlen() (Zeile 482 von ...../includes/unicode.inc).
before the PDOException: message.
Comment #6
Kristen PolI always have mb_strlen errors in conjunction with these as well:
Comment #7
Kristen PolRegarding #4, that seems like a sane approach. Can you make a patch?
Comment #8
blasthaus CreditAttribution: blasthaus commentedPest the tatch.
Comment #9
Kristen PolShouldn't this be an elseif? i.e. We don't want the query to run if it's invalid.
Comment #10
blasthaus CreditAttribution: blasthaus commentedGood catch. Or maybe just return FALSE to prevent any other validation? I see no point in even continuing.
Note that it could also be done at the field level, something like this which is not tested and I'm not sure a return FALSE stops the form validation from running. If this is the preferred approach, then we'd could use it on other forms like login block, etc.
Comment #11
blasthaus CreditAttribution: blasthaus commentedLooks like this module is getting some attention now, so how about we push for this:
Note that also placeholder value ':name' is now preprocessed via PHP strtolower() vs. the current LOWER(:name) SQL syntax.
Comment #12
dsdeiz CreditAttribution: dsdeiz commentedThe patch from #8 I think looks good enough. From #11, I'm a bit confused of the change from
LOWER(:name)
tostrtolower()
. I'm not sure why is it necessary to convert. Anyway, attached the patch without the change tostrtolower()
.Comment #13
dsdeiz CreditAttribution: dsdeiz commentedComment #14
blasthaus CreditAttribution: blasthaus commentedJust to point out that patch #12 only lets the code continue to run until the same error will happen down the line if an array is passed as 'name'. So ultimately it would need to also be addressed in core for the error to completely vanish.
from user_login_authenticate_validate()