#1
|
||||
|
||||
Registration Validation?
I'd also like to remind anyone reading that it was complained on VPL that there wasn't enough verification going on to prevent script injection. I've added gender to the 'registervalidator' class so no one right click on a page, open up the html editor, change their gender to ballerina or some other arbitrary thing and hit submit. Such a change would, in fact, go through. Checking for predefined data is important during validation.
And while changing one's gender is harmless enough, can I get confirmation that data is, before even hitting the 'registervalidator' class, being run through something like this: PHP Code:
It's worth noting that, for things like the profile 'bio' field, you can also run htmlspecialchars_decode() before displaying the data: meaning, the information was stored in the database with html characters encoded will translate those encoded characters back to html before posting, thus allowing users to do a little formatting. From there I'd run strip_tags() to weed all but only a certain set of allowed html. I haven't attempted to implement this yet, but does it sound feasible? Also, currently on the registration page it is only requested that users created appropriate usernames and passwords, but nothing ever prevents users from having symbols in their name, or demands that users have strong passwords. I added in some extra validation for usernames and passwords, by modifying these two functions in the 'registervalidator' class: Now the validator will:
So, anyway, the purpose of this thread was to ask what all is being done to validate user input? Not only at registration, but anywhere a profile can be updated as well? I'm only asking for peace of mind.
__________________
Please do not contact me directly outside of Mysidia.
I also cannot troubleshoot code more than two years old - I legit don't remember it. |
#2
|
||||
|
||||
Well yeah, the script does lack validation for certain pages. Some forms such as breeding and pound are extensively validated, but others are only partially. This is the inconsistency I plan to work on for Mys v1.4.0, which will have a new and much more powerful validation system.
I honestly dont quite agree with the example on gender though, since I cannot see the benefits of changing your own gender to 'ballerina'. It will break your user profile, but it wont even bring harms to other users, do hackers actually enjoy such meaningless things? The avatar though, is a rather serious issue(which may lead to XSS) and I'd see if theres a way to post a patch at bug tracker to resolve it.
__________________
Mysidia Adoptables, a free and ever-improving script for aspiring adoptables/pets site. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Registration issue | ilrak | Questions and Supports | 4 | 11-07-2014 11:21 PM |
Forum Registration | Alaric | Questions and Supports | 24 | 06-05-2013 11:12 AM |
reCaptcha on Registration | John1 | Questions and Supports | 2 | 09-08-2010 11:12 PM |
Registration Error | SJC | Questions and Supports | 19 | 07-01-2009 05:03 PM |
Registration | exactly33 | Suggestions and Feature Requests | 1 | 01-05-2009 11:37 AM |
What's New? |
What's Hot? |
What's Popular? |