Lately Kyttias was asking me a question on what would happen to pouned adoptables if a malicious user registers with the username 'SYSTEM'. I tested it on my demo site and the result was not pleasant, the user would take over all owned adoptables as his/her own, although the pound center still work normally so this user is always in danger of losing his/her adoptables to others.

A fix can be done by adding these lines below line 31 in file classes/class_registervalidator.php


if($username == "SYSTEM"){
$this->seterror("Cannot use SYSTEM as username.");
return FALSE;
}


If you have never modified this file, download the attachment will solve the problem for you quickly and easily.

I think this should be implanted but with more options. To rule our usernames like "admin" or "staff" or anything that could be misleading and users could use to attempt to scam other users.

Kind of like a 'disallowed' usernames kinda thing.

-

I agree. I think it's the same sorta thing. Also, you replied to the wrong thread XD

Is it possible to adapt this so that is does include usernames such as 'Admin', 'Staff', 'Owner', 'Moderator' and 'Error'? As previously stated, this could lead to some unethical practices haha :)

Yeah, you can add a series of "if(username == "name_you_dont_want")" in the same format. I prefer putting all forbidden names (in uppercase) in an array and checking if the username is in that array. Like:


$forbidden_names = array("SYSTEM", "ADMIN", "STAFF", "OWNER", "MODERATOR", "ERROR");

if(in_array(strtoupper($username), $forbidden_names)){
$this->seterror("Cannot use '$username' as username.");
return FALSE;
}

do not joke hof it is not fixed that system username is still bugging me so help me out i can show the screenshot and here is my register validation

<?php

class RegisterValidator extends UserValidator{
// The register validator for user and usergroup system

public function __construct(User $user, $value = array(), $action = ""){
parent::__construct($user, $value, $action);
}

public function validate($action = "", $data = ""){
// The core method validate, it acts like a controller and sends requests to different private methods based on the action

$validarray = array("username", "password", "email", "birthday", "ip", "tos", "answer");

// For RegisterValidator, the validator methods will be executed all at once
foreach($this->value as $key => $var){
$method = "{$key}validate";
if(in_array($key, $validarray)) $this->$method($var);
else throw new Exception('Validation action invalid...');

if(!empty($this->error)) return FALSE;
}
}

protected function usernamevalidate($username = ""){
// The username validator, note its a bit complicate here due to the different mechanism of username check for register and other validators
$lang = Registry::get("lang");
if(!$this->emptyvalidate($username)){
$this->seterror("The field Username is Empty.");
return FALSE;
}
if($username == "SYSTEM"){
$this->seterror("Cannot use SYSTEM as username.");
return FALSE;
}
$username = (empty($username))?$this->value['username']:$username;
$userexist = $this->datavalidate("users", array("username"), "username = '{$username}'");
if($userexist == TRUE){
$this->seterror($lang->user);
return FALSE;
}
else return TRUE;
}

protected function passwordvalidate($password = ""){
$mysidia = Registry::get("mysidia");
if(!$this->emptyvalidate($this->value['password'])){
$this->seterror("The field Password is empty.");
return FALSE;
}
elseif(!$this->emptyvalidate($mysidia->input->post("pass2"))){
$this->seterror("The field Confirmed Password is Empty.");
}
elseif(!$this->matchvalidate($this->value['password'], $mysidia->input->post("pass2"))){
$this->seterror($mysidia->lang->match);
return FALSE;
}
else return TRUE;
}

protected function emailvalidate($email = ""){
$lang = Registry::get("lang");
$email = (empty($email))?$this->value['email']:$email;
$this->emptyvalidate($email);
$regex = '/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i';
if(!$this->matchvalidate($regex, $email, "preg_match")){
$this->seterror($lang->email);
return FALSE;
}
else return TRUE;
}

protected function birthdayvalidate($birthday = ""){
$lang = Registry::get("lang");
if(empty($this->value['birthday'])){
$this->seterror($lang->birthday, TRUE);
return FALSE;
}
else return TRUE;
}

protected function answervalidate($answer = ""){
$mysidia = Registry::get("mysidia");
if(!$this->matchvalidate($this->value['answer'], $mysidia->settings->securityanswer)){
$this->seterror($mysidia->lang->question);
return FALSE;
}
else return TRUE;
}

protected function tosvalidate($tos = ""){
$lang = Registry::get("lang");
$tos = (empty($tos))?$this->value['tos']:$tos;
if($tos != "yes"){
$this->seterror($lang->tos);
return FALSE;
}
else return TRUE;
}

}
?>

Silver_Brick, are you saying that someone was able to register with the username System?

no they did not get reigstered but they can adopt pets which are pounded and that makes me very very very very very very very sad sad sad

System IS The pound....

I thought it was a problem too-

http://mysidiaadoptables.com/forum/showthread.php?t=5028

Ok got it and its solved i am sorry hof