Labels: Type-Defect Priority-Medium
New issue 1103 by phofstetter: ActiveDirectory: email-address issue /
While trying to get ActiveDirectory integration working, I noticed that
with a MySQL syntax error.
Enabling query logging on the server turned out this to be sent to MySQL:
INSERT INTO `auth_user` (`username`, `first_name`, `last_name`, `email`,
`is_staff`, `is_active`, `is_superuser`, `last_login`, `date_joined`)
VALUES ('pilif', 'Philip',
'Hofstetter', ("'phofstet...@sensational.ch'",), '!', 0, 1, 0, '2009-05-04
aside of the fact that the email address isn't valid, shouldn't the value
be escaped before being
sent to the database?
While this is certainly hard to exploit, sending non-escaped SQL leading to
syntax errors to the
database feels wrong.
Also, what could cause this kind of query to be generated?
The AD is a default AD domain with the addition of the Exchange 2007 schema
What version are you running?
1.0rc1 (updating from beta got me to rc1 - clean installing rc1 resulted in
What steps will reproduce the problem?
1. configure AD integration
2. try to login
What is the expected output? What do you see instead?
Expexted: user is logged in.
Actual: User is not logged in. No information in error log, but error
message posted above in
MySQL query log
What operating system are you using? What browser?
Ubuntu Hardy. Firefox and Safari - doesn't matter though
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
You received this message because you are subscribed to the Google Groups
To post to this group, send email to firstname.lastname@example.org
To unsubscribe from this group, send email to
For more options, visit this group at