Not Parkour or Freerunning > Socialize

Please remove Special Characters from your usernames.

(1/6) > >>

Zachary Cohn:
Please remove all special characters from your usernames. If you have certain ones in your username, it prevents people from PMing you. Special characters are any non alpha-numeric character. (That means letters and numbers are okay, nothing else is).

If you want to use your name and your handle, you have the ability to modify your own title. My title says "Happydud" because that was my old handle. I strongly suggest you either make your username your name OR your handle, not both. It leads to long, confusing, annoying, and potentially disruptive usernames.

Thank you.

Andy Animus Tran:
There really should  be a filter on that.  You'd think that the people who programmed the forum would've noticed such a blatant bug, eh?

Paul Leon Mederos:
You would think, and I had hoped they would have patched it, but nien.

Alec Furtado:
Well you can add " and ' as reserve names on the Set Reserve Names page of the Registration section of the admin panel (EDIT: oh and have "Match whole name only" unchecked). However, users can still change their display names to include ' and " unless you disable that. I wrote a hack to test against it but for some reason it's just not working. I guess I'll have to look into it a little further. If you wanna see, name crap is tested from profile change input in Sources/Profile.php starting on line 704. I added the sequence

--- Code: ---elseif (strpos($_POST['realName'], '"') !== false)
$post_errors[] = 'bad_name';
--- End code ---
Before the first else (ln711) within the if block. It should test if the string '"' (the doublequote) exists anywhere in the posted value. If it exists strpos() outputs the position of '"' inside the string. Otherwise it's false (and the expression should be executed). "bad_name" is just the entry of an error message in the language files. Not sure why it doesn't like it unless it is confused testing for '"'?


I gotta get back to homework lol.

Zachary Cohn:
For everyone else, the error is similar to how a SQL injection works.

A) Someone's name is: John 'Jack' Jerry

B) Using your example as a reference, a line of code might look something like:

--- Code: ---if (strpos($_POST['userName'])
--- End code ---

C) What the computer sees is this:

--- Code: ---if (strpos($_POST['John 'Jack' Jerry']
--- End code ---

D) So what happens is that the computer sees everything in between the single quotes as what it's looking for. So it ends up looking for "John " and " Jerry", and then depending on the language Jack does... something or nothing.  So it basically tries to send a PM to John and Jerry, but not John 'Jack' Jerry.

Navigation

[0] Message Index

[#] Next page

Go to full version