Author Topic: Please remove Special Characters from your usernames.  (Read 25881 times)

Offline Zachary Cohn

  • APK Alliance
  • Global Moderator
  • Hirundo Rustica
  • *****
  • Posts: 2187
  • Karma: +3/-0
  • I do cool stuff.
    • View Profile
    • ZacCohn.com
Please remove Special Characters from your usernames.
« on: February 19, 2009, 03:24:29 PM »
Please remove all special characters from your usernames. If you have certain ones in your username, it prevents people from PMing you. Special characters are any non alpha-numeric character. (That means letters and numbers are okay, nothing else is).

If you want to use your name and your handle, you have the ability to modify your own title. My title says "Happydud" because that was my old handle. I strongly suggest you either make your username your name OR your handle, not both. It leads to long, confusing, annoying, and potentially disruptive usernames.

Thank you.
« Last Edit: June 12, 2009, 09:43:59 PM by Zachary Cohn »

Offline Andy Animus Tran

  • Hirundo Rustica
  • *****
  • Posts: 2980
  • Karma: +146/-44
  • The Invisible Man
    • View Profile
Re: Please remove special characters from your usernames.
« Reply #1 on: February 19, 2009, 03:25:41 PM »
There really should  be a filter on that.  You'd think that the people who programmed the forum would've noticed such a blatant bug, eh?
Andy Tran, C.S.C.S.
Lead Parkour Instructor
Urban Evolution
Parkour Virginia

Offline Paul Leon Mederos

  • Legend
  • Administrator
  • Hirundo Rustica
  • *****
  • Posts: 1220
  • Karma: +65535/-65535
    • View Profile
    • Simple Knowledge - Leon's Tumblr Blog
Re: Please remove special characters from your usernames.
« Reply #2 on: February 19, 2009, 03:42:46 PM »
You would think, and I had hoped they would have patched it, but nien.
When we move, we move as one.

Act; for the universe will never forget your movement, nor will it ever forgive your stillness.

Offline Alec Furtado

  • kicks butt.
  • Hirundo Rustica
  • *****
  • Posts: 1992
  • Karma: +27/-6
  • Balance.
    • View Profile
Re: Please remove special characters from your usernames.
« Reply #3 on: February 19, 2009, 08:47:01 PM »
Well you can add " and ' as reserve names on the Set Reserve Names page of the Registration section of the admin panel (EDIT: oh and have "Match whole name only" unchecked). However, users can still change their display names to include ' and " unless you disable that. I wrote a hack to test against it but for some reason it's just not working. I guess I'll have to look into it a little further. If you wanna see, name crap is tested from profile change input in Sources/Profile.php starting on line 704. I added the sequence
Code: [Select]
elseif (strpos($_POST['realName'], '"') !== false)
$post_errors[] = 'bad_name';
Before the first else (ln711) within the if block. It should test if the string '"' (the doublequote) exists anywhere in the posted value. If it exists strpos() outputs the position of '"' inside the string. Otherwise it's false (and the expression should be executed). "bad_name" is just the entry of an error message in the language files. Not sure why it doesn't like it unless it is confused testing for '"'?


I gotta get back to homework lol.
« Last Edit: February 19, 2009, 09:05:19 PM by Alec Furtado »
Water conforms to the shape of it's surroundings. Do not be water. Shape your own life.

Offline Zachary Cohn

  • APK Alliance
  • Global Moderator
  • Hirundo Rustica
  • *****
  • Posts: 2187
  • Karma: +3/-0
  • I do cool stuff.
    • View Profile
    • ZacCohn.com
Re: Please remove special characters from your usernames.
« Reply #4 on: February 19, 2009, 11:38:08 PM »
For everyone else, the error is similar to how a SQL injection works.

A) Someone's name is: John 'Jack' Jerry

B) Using your example as a reference, a line of code might look something like:
Code: [Select]
if (strpos($_POST['userName'])
C) What the computer sees is this:
Code: [Select]
if (strpos($_POST['John 'Jack' Jerry']
D) So what happens is that the computer sees everything in between the single quotes as what it's looking for. So it ends up looking for "John " and " Jerry", and then depending on the language Jack does... something or nothing.  So it basically tries to send a PM to John and Jerry, but not John 'Jack' Jerry.

Offline Shamas

  • Mr. Random
  • Mangabey
  • ****
  • Posts: 402
  • Karma: +36/-10
  • Look behind you
    • View Profile
Re: Please remove special characters from your usernames.
« Reply #5 on: February 20, 2009, 08:12:37 AM »
I didn't even notice that. Heh heh. Good catch (I didn't have characters in my name)
"The Edge... there is no honest way to explain it because the only people who really know where it is are the ones who have gone over."
-Hunter S. Thompson
▌§▌
Now this is happening!
http://www.americanparkour.com/smf/index.php/topic,14576.180.html

Offline Zachary Cohn

  • APK Alliance
  • Global Moderator
  • Hirundo Rustica
  • *****
  • Posts: 2187
  • Karma: +3/-0
  • I do cool stuff.
    • View Profile
    • ZacCohn.com
Re: Please remove special characters from your usernames.
« Reply #6 on: February 21, 2009, 10:13:27 AM »
Actually if you guys could help spread this message, I'd really appreciate it. If someone with special characters posts in a thread, just forward them to this thread. Don't go overboard, and only one person has to do it (We don't need ten people telling one person to remove special characters), but it'd help.

If you want to go to their profile and send them an email, that'd be good too, to make sure they see it.

Thanks.

Offline Alec Furtado

  • kicks butt.
  • Hirundo Rustica
  • *****
  • Posts: 1992
  • Karma: +27/-6
  • Balance.
    • View Profile
Re: Please remove special characters from your usernames.
« Reply #7 on: February 21, 2009, 10:30:55 AM »
Will do. ;)
Water conforms to the shape of it's surroundings. Do not be water. Shape your own life.

Offline Shamas

  • Mr. Random
  • Mangabey
  • ****
  • Posts: 402
  • Karma: +36/-10
  • Look behind you
    • View Profile
Re: Please remove special characters from your usernames.
« Reply #8 on: February 21, 2009, 12:19:01 PM »
No problem.
"The Edge... there is no honest way to explain it because the only people who really know where it is are the ones who have gone over."
-Hunter S. Thompson
▌§▌
Now this is happening!
http://www.americanparkour.com/smf/index.php/topic,14576.180.html

Offline Derik (QuikSilva) DaSilva

  • Mangabey
  • ****
  • Posts: 331
  • Karma: +45/-29
    • View Profile
Re: Please remove Quotation Marks from your usernames.
« Reply #9 on: June 12, 2009, 09:17:56 PM »
But parenthesis are fine, right?

Offline Zachary Cohn

  • APK Alliance
  • Global Moderator
  • Hirundo Rustica
  • *****
  • Posts: 2187
  • Karma: +3/-0
  • I do cool stuff.
    • View Profile
    • ZacCohn.com
Re: Please remove Special Characters from your usernames.
« Reply #10 on: June 12, 2009, 09:44:28 PM »
Prefer not. We're probably going to be upgrading the forum software soon to disable non alphanumeric.. so you should just change it now. :)

Offline Alec Furtado

  • kicks butt.
  • Hirundo Rustica
  • *****
  • Posts: 1992
  • Karma: +27/-6
  • Balance.
    • View Profile
Re: Please remove Special Characters from your usernames.
« Reply #11 on: June 13, 2009, 02:19:39 PM »
Funny how this is still v1.1.5... they have 1.1.9 now :D

While you're at it, can you please consider Auto-embed? It has support for over 200 media sites. Just upload the .zip and it's installed. Veerryy simple and very easy.
« Last Edit: June 13, 2009, 02:22:56 PM by Alec Furtado »
Water conforms to the shape of it's surroundings. Do not be water. Shape your own life.

Offline Zachary Cohn

  • APK Alliance
  • Global Moderator
  • Hirundo Rustica
  • *****
  • Posts: 2187
  • Karma: +3/-0
  • I do cool stuff.
    • View Profile
    • ZacCohn.com
Re: Please remove Special Characters from your usernames.
« Reply #12 on: June 13, 2009, 04:00:43 PM »
We're in the process of updating all the components of APK. It just takes time. :)

(Also, one reason we've held off updating the forums is that we need a special bridge between joomla and smf so the users are shared between APK and the forums. Working on that..)

Dekudude

  • Guest
Re: Please remove special characters from your usernames.
« Reply #13 on: July 07, 2009, 03:41:51 PM »
For everyone else, the error is similar to how a SQL injection works.

A) Someone's name is: John 'Jack' Jerry

B) Using your example as a reference, a line of code might look something like:
Code: [Select]
if (strpos($_POST['userName'])
C) What the computer sees is this:
Code: [Select]
if (strpos($_POST['John 'Jack' Jerry']
D) So what happens is that the computer sees everything in between the single quotes as what it's looking for. So it ends up looking for "John " and " Jerry", and then depending on the language Jack does... something or nothing.  So it basically tries to send a PM to John and Jerry, but not John 'Jack' Jerry.

Actually, no. I don't mean to burst your bubble (I thought along the same lines for quite a while) but that only works with SQL. PHP has security against that, and you'll be perfectly fine with a username such as "John 'Jack' Jerry".

Why?
MySQL is its own software based on PHP and other programming languages. It is built into the program, so it has to accept the programs' limitations.

PHP doesn't interpret if (strpos($_POST['John 'Jack' Jerry'])) like that. Instead, it sees it as if function strpos() returns true on on the $_POST variable which is equal to John 'Jack' Jerry, do whatever

MySQL, on the other hand, can't work that way. MySQL is based on queries. If you wrote the above code into a PHP script, you'd have problems, but user input won't mess anything up. In MySQL user input IS the script, so you WILL have issues.

Hope that makes sense. :)

If you want my input, I think limiting some special characters is a fine idea, but you should allow quotes, underscores, hyphens, and maybe even !@#$%^&*()_+, as they are accessible on nearly all keyboards.

Offline Zachary Cohn

  • APK Alliance
  • Global Moderator
  • Hirundo Rustica
  • *****
  • Posts: 2187
  • Karma: +3/-0
  • I do cool stuff.
    • View Profile
    • ZacCohn.com
Re: Please remove Special Characters from your usernames.
« Reply #14 on: July 07, 2009, 07:42:56 PM »
Well, there's something going on then. Sending a PM to user: James "Jim" Kirk   will result in an error. I don't remember exactly what it is, but it has to do with the quotations, I may have posted it earlier in the thread.

Dekudude

  • Guest
Re: Please remove Special Characters from your usernames.
« Reply #15 on: July 11, 2009, 11:15:01 AM »
That's weird... it shouldn't do that. Are you using the built-in SMF PM system, or something modified on another part of the site?

Offline Alec Furtado

  • kicks butt.
  • Hirundo Rustica
  • *****
  • Posts: 1992
  • Karma: +27/-6
  • Balance.
    • View Profile
Re: Please remove Special Characters from your usernames.
« Reply #16 on: July 11, 2009, 11:41:58 AM »
But it is still "similar to how a SQL injection works."


Depending on what they are using as the string delimiters, either ' or " may screw things up. What you could do is replace those with their respective character codes (""" and "&lsquot;" / "&rsquot;")
Water conforms to the shape of it's surroundings. Do not be water. Shape your own life.

Dekudude

  • Guest
Re: Please remove Special Characters from your usernames.
« Reply #17 on: July 12, 2009, 10:00:27 PM »
Yeah, quotations marks can jack things up... but I'm just saying things like & and ] can't. What's weird, though, is that the error is showing up. SMF forums are extremely stable AND secure. Makes no sense to me.

Oh well. :P

Offline Skye

  • Ambassador
  • Mangabey
  • *****
  • Posts: 281
  • Karma: +19/-9
  • o.0
    • View Profile
Re: Please remove Special Characters from your usernames.
« Reply #18 on: July 14, 2009, 07:28:09 PM »
Question, see my name everywere is A-SkyfiOriginal  here it is ASkyfiOriginal
If I change it to A-SkyfiOriginal will that count as a special charater?
ME:  "I'm a graphic artist."
HIM: "whats that? What do you do?"
ME:   "well actually it can be pretty hard, i have to  code and..." (getting all technical with my words on what i do."
HIM:  "blank Stare"
ME: "I make pretty pictures..."

Offline Alec Furtado

  • kicks butt.
  • Hirundo Rustica
  • *****
  • Posts: 1992
  • Karma: +27/-6
  • Balance.
    • View Profile
Re: Please remove Special Characters from your usernames.
« Reply #19 on: July 15, 2009, 07:32:46 PM »
No, that shouldn't cause a problem with the process.
Water conforms to the shape of it's surroundings. Do not be water. Shape your own life.