I'd also like to remind anyone reading that it was complained on VPL that there wasn't enough verification going on to prevent script injection. I've added gender to the 'registervalidator' class so no one right click on a page, open up the html editor, change their gender to
ballerina or some other arbitrary thing and hit submit. Such a change would, in fact, go through. Checking for predefined data is important during validation.
And while changing one's gender is harmless enough, can I get confirmation that data is, before even hitting the 'registervalidator' class, being run through something like this:
PHP Code:
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
Notice I recommend htmlspecialchars(), not htmlentities()! If your site is UTF8 encoded, special symbols like ¡™£¢∞§¶ get turned into little black diamonds with question marks in them because htmlentities() doesn't know how to handle them, but htmlspecialchars() does.
It's worth noting that, for things like the profile 'bio' field, you can also run htmlspecialchars_decode() before displaying the data: meaning, the information was stored in the database with html characters encoded will translate those encoded characters back to html before posting, thus allowing users to do a little formatting. From there I'd run strip_tags() to weed all but only a certain set of allowed html. I haven't attempted to implement this yet,
but does it sound feasible?
Also, currently on the registration page it is only
requested that users created appropriate usernames and passwords, but nothing ever prevents users from having symbols in their name, or demands that users have strong passwords. I added in some extra validation for usernames and passwords, by modifying these two functions in the 'registervalidator' class:
PHP Code:
protected function usernamevalidate($username = ""){
// The username validator, note its a bit complicate here due to the different mechanism of username check for register and other validators
$lang = Registry::get("lang");
if(!$this->emptyvalidate($username)){
$this->seterror("The field Username is Empty.");
return FALSE;
}
$regex = '/\d*[a-zA-Z][a-zA-Z\d]{2,20}/';
if(!$this->matchvalidate($regex, $this->value['password'], "preg_match")){
$this->seterror("A username may ONLY contain letters and numbers, must be between between 3 and 20 characters long, and may not entirely be made of only numbers.");
return FALSE;
}
$username = (empty($username))?$this->value['username']:$username;
$userexist = $this->datavalidate("users", array("username"), "username = '{$username}'");
if($userexist == TRUE){
$this->seterror($lang->user);
return FALSE;
}
else return TRUE;
}
and also
PHP Code:
protected function passwordvalidate($password = ""){
$mysidia = Registry::get("mysidia");
$regex = '/([a-zA-Z0-9!@#$%^&*+=\-\_]{5,20})/';
if(!$this->emptyvalidate($this->value['password'])){
$this->seterror("The field Password is empty.");
return FALSE;
}
elseif(!$this->matchvalidate($regex, $this->value['password'], "preg_match")){
$this->seterror("A password must be between 6 and 20 characters long, and may ONLY contain letters, numbers and these symbols: !@#$%^&*+=-_");
return FALSE;
}
elseif(!$this->emptyvalidate($mysidia->input->post("pass2"))){
$this->seterror("The field Confirmed Password is Empty.");
}
elseif(!$this->matchvalidate($this->value['password'], $mysidia->input->post("pass2"))){
$this->seterror($mysidia->lang->match);
return FALSE;
}
else return TRUE;
}
Now the validator will:
- Check that a new username DOES in fact ONLY contain letters and numbers, is between between 3 and 20 characters long, and is not entirely made of only numbers.
- Check that a password ONLY contain letters, numbers and symbols, and be between 6 and 20 characters long. The accepted symbols are: !@#$%^&*+=-_
So, anyway, the purpose of this thread was to ask what all is being done to validate user input? Not only at registration, but anywhere a profile can be updated as well? I'm only asking for peace of mind.