Here's a script we use to copy preferences from one user to all users for MW 1.4.x. YMMV.
mysql_connect($wgDBserver,$wgDBuser,$wgDBpassword); @mysql_select_db($wgDBname); $query="SELECT * FROM " . $wgDBprefix . "user WHERE LOWER(user_name) = '" . strtolower($name) . "'"; $result = mysql_query($query); $row = mysql_fetch_array($result, MYSQL_ASSOC); mysql_close();
mysql_connect($wgDBserver,$wgDBuser,$wgDBpassword); @mysql_select_db($wgDBname); $query="UPDATE " . $wgDBprefix . "user SET user_options = '" . $row[user_options] . "'"; $result = mysql_query($query); mysql_close();
Al.
-----Original Message----- From: Rob Church [mailto:robchur@gmail.com] Not a quick one, that I know of. A custom PHP script might do it.
On 20/12/05, Isaac Gonzalez youngi@comcast.net wrote:
is there a way to change to user preferences for all users?
thanks alot, I'll give this a whirl....on mw 1.5.3.
-Isaac ----- Original Message ----- From: "Alistair Johnson" JohnsonA@rembrandt.co.nz To: "MediaWiki announcements and site admin list" mediawiki-l@Wikimedia.org Sent: Monday, December 19, 2005 5:46 PM Subject: RE: [Mediawiki-l] How do I change the default skin for users thatareboth logged in as well as not logged in?
Here's a script we use to copy preferences from one user to all users for MW 1.4.x. YMMV.
mysql_connect($wgDBserver,$wgDBuser,$wgDBpassword); @mysql_select_db($wgDBname); $query="SELECT * FROM " . $wgDBprefix . "user WHERE LOWER(user_name)= '" . strtolower($name) . "'"; $result = mysql_query($query); $row = mysql_fetch_array($result, MYSQL_ASSOC); mysql_close();
mysql_connect($wgDBserver,$wgDBuser,$wgDBpassword); @mysql_select_db($wgDBname); $query="UPDATE " . $wgDBprefix . "user SET user_options = '" .$row[user_options] . "'"; $result = mysql_query($query); mysql_close();
Al.
-----Original Message----- From: Rob Church [mailto:robchur@gmail.com] Not a quick one, that I know of. A custom PHP script might do it.
On 20/12/05, Isaac Gonzalez youngi@comcast.net wrote:
is there a way to change to user preferences for all users?
MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Alistair Johnson wrote:
Here's a script we use to copy preferences from one user to all users for MW 1.4.x. YMMV.
[snip]
This snippet appears to be vulnerable to SQL injection attacks. A cleverly written signature or other option on the model row could probably be used to overwrite everyone else's passwords or such.
-- brion vibber (brion @ pobox.com)
at what level can this be exploited?
From the wiki interface?
Or from MySQL?
What if there is a firewall in front of MySQL?
-----Original Message----- From: mediawiki-l-bounces@Wikimedia.org [mailto:mediawiki-l-bounces@Wikimedia.org]On Behalf Of Brion Vibber Sent: Monday, December 19, 2005 7:14 PM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] How do I change the default skin for users thatareboth logged in as well as not logged in?
Alistair Johnson wrote:
Here's a script we use to copy preferences from one user to all users for
MW
1.4.x. YMMV.
[snip]
This snippet appears to be vulnerable to SQL injection attacks. A cleverly written signature or other option on the model row could probably be used to overwrite everyone else's passwords or such.
-- brion vibber (brion @ pobox.com)
Isaac Gonzalez wrote:
at what level can this be exploited?
From the wiki interface?
Or from MySQL?
What if there is a firewall in front of MySQL?
For some general background on SQL injection attacks please see: http://en.wikipedia.org/wiki/SQL_injection
Always, *always* escape your input strings when manually constructing SQL statements. This should have been impressed upon you when you first started learning about SQL, but it's easy to pick up bad habits with the large amount of sloppy example code out there.
If using PHP and MySQL directly, use the mysql_real_escape_string() function. For documentation please see: http://www.php.net/mysql_real_escape_string
The code that was given above takes the data from a particular user record's user_options field and pastes it directly into an SQL statement. The existence of "'" or "" characters in that field could be abused to completely change the meaning of the resulting SQL statement when someone next runs that script, by closing the string literal and setting the value of other fields on every user record.
If the account being read from is secure, and nobody ever makes a mistake, you might never have a problem. Or you might just get SQL errors when you have a "'" in there by mistake. But it does increase your chance of problems to have this insecure system, and if you have that you likely have other insecure code written similarly.
-- brion vibber (brion @ pobox.com)
On 12/20/05, Brion Vibber brion@pobox.com wrote:
Always, *always* escape your input strings when manually constructing SQL statements. This should have been impressed upon you when you first started learning about SQL, but it's easy to pick up bad habits with the large amount of sloppy example code out there.
If using PHP and MySQL directly, use the mysql_real_escape_string() function. For documentation please see: http://www.php.net/mysql_real_escape_string
Even stronger is to use prepared SQL and bind the variables. This isn't always supported by the language/DB combo though. I think that PHP 5 supports prepared SQL statements, but PHP 4 doesn't.
-- Rick DeNatale
Visit the Project Mercury Wiki Site http://www.mercuryspacecraft.com/
mediawiki-l@lists.wikimedia.org