Login screen bugfix - code included

  • Hi,

    I recently found what looked like a very serious bug in airtime. But after private discussions with the airtime dev team, careful analysis of the code and some testing it was realised to be less serious than it first seemed.  However, the bug does mean that using certain usernames will cause 'ugly' login failures.

    Any username which contains an apostrophe ( ' ) triggers a login failure during the recapcha check - this block of code is executed even if the recapcha is not displayed on the screen.

    For those who understand, it is due to passing a "Non-escaped" string to a "Prepared SQL Statement" - the fact that it is "Prepared" is why bug is not as serious as it might fist seem. So "Don't Panic" about the risk of meeting Little Johnny Tables.

    Anyway, if you wish to have apostrophe's <sic> in your usernames, I have attached a bugfixed version of LoginController.php ...On my Debian box, it lives in /usr/share/airtime/application/controllers/ - if you need to do a little hunting on your install to find it, you may wish to start by looking at where your airtime apache config is pointing ;)

    I have also attached a "diff" file which a) shows the changes which have been made and b) programmers/hard-core techies like.

    NOTE: Because the forums will not allow me to upload .php and .diff files I have added ".txt" to the end of the filenames ...you should remove this addition as soon as you have downloaded the file(s).