BIG BUG in deleting accounts

[heavypredator]

i discovered today that /scripts/killacct has this code:

Code:

else {
    my $mysql = cPScript::Mysql->new;
    $mysql->sendmysql("DELETE FROM user WHERE user='$user';");
    $mysql->sendmysql("DELETE FROM user WHERE user LIKE '${user}_%';");
    $mysql->sendmysql("DELETE FROM db WHERE user='$user';");
    $mysql->sendmysql("DELETE FROM db WHERE user LIKE '${user}_%';");
    $mysql->sendmysql("DELETE FROM tables_priv WHERE user='$user';");
    $mysql->sendmysql("DELETE FROM tables_priv WHERE user LIKE '${user}_%';");
    $mysql->sendmysql("DELETE FROM columns_priv WHERE user='$user';");
    $mysql->sendmysql("DELETE FROM columns_priv WHERE user LIKE '${user}_%';");
    $mysql->sendmysql("FLUSH PRIVILEGES;");
    exit();
}

thanks to this when deleting account "rage", it deleted all mysql users in accounts rage2, rage3, rage4, rage5

i understand why it is deleting like this but there should be warning - DO NOT CREATE(or delete ) ACCOUNTS WITH THE SAME USERNAME<number>

that took me little over hour to track why suddently my mysql users were gone - not cool i started to think HACKED - checked all apache logs first :/

can someone from cpanel think of better way to delete db?

[h2oski]

looks like they just need to escape the _
In the query above it is being interpreted as a single character wildcard, but I assume cpanel wants it to be interpreted as a literal underscore

[hostmedic]

I was going to add this to bugtrack - looked to see if you did and did not see it - but a worth while suggestion.

thanks for the FYI
have a few clients that resell doing this method
OUCH

[heavypredator]

added Bugzilla Bug 3859

and no problem - it is good to leave info for someone looking for help - it saves people time