[FIX] - Register.php

[thunderstrike]

Detail: Check valid chars before register account in DB.

Action: Register

Find:

$user_name = (isset($HTTP_POST_VARS['user_name'])) ? un_htmlspecialchars(trim($HTTP_POST_VARS['user_name'])) : "";
$user_name = ereg_replace("( ){2,}", " ", $user_name);
$user_password = (isset($HTTP_POST_VARS['user_password'])) ? trim($HTTP_POST_VARS['user_password']) : "";  
$user_email = (isset($HTTP_POST_VARS['user_email'])) ? un_htmlspecialchars(trim($HTTP_POST_VARS['user_email'])) : "";
$user_showemail = (isset($HTTP_POST_VARS['user_showemail'])) ? intval($HTTP_POST_VARS['user_showemail']) : 0;
$user_allowemails = (isset($HTTP_POST_VARS['user_allowemails'])) ? intval($HTTP_POST_VARS['user_allowemails']) : 1;
$user_invisible = (isset($HTTP_POST_VARS['user_invisible'])) ? intval($HTTP_POST_VARS['user_invisible']) : 0;
$user_homepage = (isset($HTTP_POST_VARS['user_homepage'])) ? un_htmlspecialchars(trim($HTTP_POST_VARS['user_homepage'])) : "";
$user_icq = (isset($HTTP_POST_VARS['user_icq'])) ? ((intval(trim($HTTP_POST_VARS['user_icq']))) ? intval(trim($HTTP_POST_VARS['user_icq'])) : "") : "";

replace:

Code: [Select]

$user_name = (isset($HTTP_POST_VARS['user_name'])) ? un_htmlspecialchars(trim((string)$HTTP_POST_VARS['user_name'])) : "";
$user_name = preg_replace("/'[^a-z0-9_-]+/i", "", $user_name);
$user_name = preg_replace("/( ){2,}+/i", " ", $user_name);
$user_name = format_text(trim($user_name), 2);
$user_password = (isset($HTTP_POST_VARS['user_password'])) ? un_htmlspecialchars(trim((string)$HTTP_POST_VARS['user_password'])) : "";  
$user_password = preg_replace("/[^A-Za-z0-9_-]+/i", "", $user_password);  
$user_password = format_text(trim($user_password), 2);
$user_email = (isset($HTTP_POST_VARS['user_email'])) ? un_htmlspecialchars(trim((string)$HTTP_POST_VARS['user_email'])) : "";
  if (isset($user_email)) {  
      if (function_exists('mailchek') && !function_exists('check_email') && mailchek($user_email, 2)) {        
          } elseif (function_exists('check_email') && !function_exists('mailchek') && check_email($user_email)) {              
      }              
  }
$user_showemail = (isset($HTTP_POST_VARS['user_showemail'])) ? intval($HTTP_POST_VARS['user_showemail']) : 0;
$user_showemail = preg_replace("/[^0-9]+/i", "", $user_showemail);
$user_allowemails = (isset($HTTP_POST_VARS['user_allowemails'])) ? intval($HTTP_POST_VARS['user_allowemails']) : 1;
$user_allowemails = preg_replace("/[^0-9]+/i", "", $user_allowemails);
$user_invisible = (isset($HTTP_POST_VARS['user_invisible'])) ? intval($HTTP_POST_VARS['user_invisible']) : 0;
$user_invisible = preg_replace("/[^0-9]+/i", "", $user_invisible);
  if (isset($HTTP_POST_VARS['user_homepage']) && preg_match('@^(?:http|https://)?([^/]+)@i', $HTTP_POST_VARS['user_homepage'])) {
  $user_homepage = (isset($HTTP_POST_VARS['user_homepage'])) ? un_htmlspecialchars(trim((string)$HTTP_POST_VARS['user_homepage'])) : "";
  }
$user_icq = (isset($HTTP_POST_VARS['user_icq'])) ? ((intval(trim($HTTP_POST_VARS['user_icq']))) ? intval(trim($HTTP_POST_VARS['user_icq'])) : "") : "";
$user_icq = preg_replace("/[^0-9]+/i", "", $user_icq);


[thunderstrike]

Find:

$site_email->register_vars(array(
          "user_name" => $row[$user_table_fields['user_name']],
          "site_name" => $config['site_name']
        ));
        $site_email->set_body("activation_success", $config['language_dir']);
        $site_email->send_email();

replace:

Code: [Select]

$site_email->register_vars(array(
          "user_name" => format_text(trim($row[$user_table_fields['user_name']]), 2),
          "site_name" => format_text($config['site_name'], 2)
        ));
        $site_email->set_body("activation_success", $config['language_dir']);
        $site_email->send_email();


[thunderstrike]

I fix 1st post for $user_name and $user_password.