Obscure bug and a fix

[Defenestrator]

I ran into problems getting a "Failed to update log table." error periodically. Turns out it occurred when it tried to log a post attempt by someone who had a ' in their name (legal and valid in PHPbb2). The ' isn't properly escaped.

In /var/www/forums/includes/functions_anti_spam_acp.php, I added the following line:
$username = str_replace("'", "\'", $username);
In:
function_log_spam($triggers, $username, $user_id, $email, $location, $notice = '') // Logs data to spam table

above the assignment for $sql, so that the ' in $username is properly escaped for the query

I haven't done extensive testing or looked at the logs, but so far it seems to have taken care of it without side effects.

(If there's a better place to put this or a better way to fix it, let me know)

[EXreaction]

Ouch.

I'll put it on my to do list to take a look at when I get some time.

[EXreaction]

Ok, I finally have gotten around to looking at this.

I can not seem to reproduce this error. I've tried registering with a ', changing a current user's username and adding a ' in, and just about everything else I could all with it logging it to the spam log.

I have also tried posting with a username that has a ' in it and having it record it to the spam log. It did not give me an error then either.

Where exactly do you get it?
What other mods have you installed?

[Defenestrator]

I ran into it specifically when a user with too few posts and a ' in their name tried to post a URL and was not allowed. It gave a SQL error instead of the "not allowed" error. You may be avoiding it due to having magic_quotes_runtime turned on in your PHP settings or something, because as far as I can tell the ' isn't escaped in the username anywhere in the code. (on a side note, it might be a good idea to take a look at putting in thorough safeguards against SQL injection throughout the script. It's effective enough that it's likely to end up quite popular, and therefore could become a target for the spammers to actively try and break)

[EXreaction]

Ok, I see it now.

It only happens if the user is registered with a ' in their name and a url in the post where they are not allowed to do it. Looks entirely impossible to use SQL injection in this case as it only affects registered users and registered users username can only be 25 characters long.
1234567890123456798012345 <- not long enough to produce even a simple query.

I will look at fixing it and releasing a new version, but I have not decided as of yet.

[EXreaction]

Ok, I have fixed that up along with a few other bugs.

Since I do not use phpBB2 I haven't gotten a chance to thoroughly test it, though there should be no problems.

If you could, update your install with the package I've attached and let me know how it goes.

[EXreaction]

Is that working without any problems?

[Defenestrator]

Oddly enough, I'm not the admin who applies updates to this particular board. I let the one who does know, and she's going to add it sometime in the next week or so. I'll let you know when it happens. Glancing through the code, I'm not sure if addslashes(stripslashes($variable)) is the most elegant solution vs actually checking to see if magic_quotes is on, but it shouldn't cause any problems since I believe backslashes aren't allowed in usernames.

[edit]on another sidenote... 25 characters isn't enough for a simple useful query, but it's enough for a malicious one. Again, perhaps paranoid, but since it's an anti-spam script there's a higher chance of a determined attacker who knows what they're doing.

[EXreaction]

addslashes(stripslashes()) is the best I think because it makes absolutely sure quotes don't get slashed more than once (well, unless they were already slashed twice before). I think it works best in this case because it could have a range of inputs, some that already are slashed and some that are not (and I do not want to deal with bugs later).

I removed the queries you listed as they could be bad. Don't want to give any ideas if someone reads this.

I will release 2.0.9 immediately and let everybody know.