4images Forum & Community
4images Help / Hilfe => Bug Fixes & Patches => Topic started by: trez on January 28, 2007, 04:15:53 PM
-
Hi,
anyone of you has users like {username} ? Or {P}blabla ?
Well, the problem is, that 4images isn't parsing the username right if there is an opening and closing bracket ({ and }). So the user is "invisible" in the who is online, even in his profile,
even in the user administration - everywhere. The user name in the brackets is just not displayed.
Well, this is also a security problem, but i won't write on that topic much further. I was surprised, that even the new version (1.7.4) hasn't resolved that bug. I did find out about this, when "invisible users" start complaining that they can't get PM's and that they cant upload any images or create folders.
So, the bug is in the register.php, and there is a simple solution to resolve this problem.
STEP 1
open your register.php
find:
$msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
$error = 1;
}
right after the closing } insert:
elseif (preg_match("#[<{}>]#", $user_name))
{
$msg .= (($msg != "") ? "<br />" : "").$lang['invalid_symbols'];
$error = 1;
}
save and close.
STEP 2
open /lang/english/main.php
find:
$lang['username_exists'] = "User name already exists.";
instert right below:
$lang['invalid_symbols'] = "Please use only numbers 0-9 and letters A-Z in your username!.";
save and close.
Thats it, now you get rid of the problem. In this example, we have forbidden only the symbols "<>{}", if you want forbid more symbols just add them between the [.....]
For example, if we want to forbid "$%^&*()" the line would look like this:
elseif (preg_match("#[<{}>$%^&*()]#", $user_name))
that's it.
Greetings,
George
Developers, this has to be added in the next version!
-
... thanks for your solution George ... :D
-
It`s important and very nice you share your solution with us.
Thanx for..
woody
-
thanks!
Maybe this should be moved to "Bug Fixes & Patches"
-
@ CeJay
... you are right ... and it's done .. ;)
-
... in version 1.7.0 this code already works ...
... it seems as if this part of reg_code is lost since version 1.7.1 ...
-
I would like this to work with passwords as well so this may be a dumb question, but does this also apply to passwords?
If not how can I make it so it does? Can I add it by putting in 'password' like so:
elseif (preg_match("#[<{}>]#", $user_name, $password))
{
$msg .= (($msg != "") ? "<br />" : "").$lang['invalid_symbols'];
$error = 1;
}
Thanks for any help :!:
-
well, just try it :D
-
I don't know but wouldn't be more propriet to enter allowed characters?
-
I just found out that some of my member uses unknown characters (like ł,° etc) to register.
That's why I'm wondering if there is a way to set allowed characters reather then dissallowed?
-
Change:
elseif (preg_match("#[<{}>]#", $user_name, $password))
{
$msg .= (($msg != "") ? "<br />" : "").$lang['invalid_symbols'];
$error = 1;
}
for:
elseif (preg_match("#[<{}>ł°]#", $user_name, $password))
{
$msg .= (($msg != "") ? "<br />" : "").$lang['invalid_symbols'];
$error = 1;
}
-
I know that I can add another dissallowed character there, but I'm saying that it would be easier to add allowed characters instead of dissallowed.
-
I would suggest reather to use this code:
!preg_match("/^[A-Za-z0-9\\-\\.]+$/", $user_name)
Please correct me if I'm wrong.
-
Can use:
preg_match("/[^A-Za-z0-9\-\_]+$/", $user_name)
I use for my gallery. ;)