0

hello, I use a script I found on this site Click Here. I don't think the htmlentities check work and I don't know what's wrong.

the .php file for the registration starts with

<?PHP
require_once("./include/membersite_config.php");

if(isset($_POST['submitted']))
{
   if($fgmembersite->RegisterUser())
   {
        $fgmembersite->RedirectToURL("thank-you.php");
   }
}

?>

and the user registration form starts with

<div id='fg_membersite'>
<form id='register' action='<?php echo $fgmembersite->GetSelfScript(); ?>' method='post' accept-charset='UTF-8'>
<fieldset >
<legend>Registration</legend>

<input type='hidden' name='submitted' id='submitted' value='1'/>

<div class='short_explanation'>* field required</div>
<input type='text'  class='spmhidip' name='<?php echo $fgmembersite->GetSpamTrapInputName(); ?>' />

<div><span class='error'><?php echo $fgmembersite->GetErrorMessage(); ?></span></div>
<div class='container'>
    <label for='name' >Name*: </label><br/>
    <input type='text' name='name' id='name' value='<?php echo $fgmembersite->SafeDisplay('name') ?>' maxlength="50" /><br/>
    <span id='register_name_errorloc' class='error'></span>
</div>

<div class='container'>
    <label for='firstname' Firstname*: </label><br/>
    <input type='text' name='firstname' id='firstname' value='<?php echo $fgmembersite->SafeDisplay('firstname') ?>' maxlength="50" /><br/>
    <span id='register_firstname_errorloc' class='error'></span>
</div>

...

membersite_config.php contains require_once("./include/fg_membersite.php"); and the $fg_membersite.php has the htmlentities functions like this:

function GetSelfScript()
    {
        return htmlentities($_SERVER['PHP_SELF']);
    }    


    function SafeDisplay($value_name)
    {
        if(empty($_POST[$value_name]))
        {
            return'';
        }
        return htmlentities($_POST[$value_name]);
    }

    function GetErrorMessage()
    {
        if(empty($this->error_message))
        {
            return '';
        }
        $errormsg = nl2br(htmlentities($this->error_message));
        return $errormsg;
    }    

However, when I try to insert signs like < > in the name or username, the form accepts it and the information is added with the special characters to mysql as well. I just want avoid people to insert php code or similar in the form. What has to be modified in the code above for it works?

Edited by diafol: Post to the right forum - PHP

2
Contributors
9
Replies
10
Views
5 Years
Discussion Span
Last Post by rogerg
0

Hi,

I think there is a problem in the validation class of the script. I felt so guilty recommending this script. The earlier version I tested it, but their latest one, I have not do any testing at all. I should have test it first, before extending any recommendation. I need to contact the author of the script and tell him about this bug. He should be active at sourceforge..

I tested the script today and you are right, the html tags are able to scape and get posted in the database under the radar of the validator class.

If you can wait for a few days, I might be able to write you one, or maybe try to fixed the validation class..

I have a login function in my open source application, but it is too huge for me to disassemble for your purpose. Just hold on... I will get back to this thread.

0

Hi,

Ok, just to get you going and to eliminate the problem of html tags being posted in the database. I fixed the class.. WARNING! this is a temporary fix.. I will attempt to fix some other vulnerabilities if I find ONE.

Disclaimer! I do not own NOR I wrote this log in system. I am still waiting for the original author to contact me if he has any updates for the script. Otherwise, I will have to make few more fixes, and this script should be consider as safe.

On my fixed file, I added a distinction between regular members and the admin. I also extended it to have a moderator role if needed be.

Later I will talk about this extended method from the original class.

Instructions:

  1. Download the upgraded fg_membersite file Here
  2. Replace the .txt extension with php extension. e.g. fg_membersite.php
  3. Open the include directory and rename the file called fg_membersite.php to something else. This is your backup file.
  4. Upload the downloaded and enamed file from step 1 and 2 to your include directory.
  5. Go to your phpMyAdmin, and then click on the database for your login system.
  6. On the top right corner, look for the sql tab, click on the sql tab.
  7. Place your cursor in the textarea, right click and then choose "select all", hit delete.
  8. Paste the codes below inside the textarea , and click save or go.

    ALTER TABLE member ADD privs INT( 11 ) NOT NULL AFTER name

  9. Now go to your login system, and register for a new account,,, in the username use html tags, submit the new registration.

  10. You shuld get a registration confirmation. Take note of the username .

  11. Go back to your phpMyAdmin, and search for the username of the newly registered user.. there should be NO html tags in there. The class should be able to strip every possible characters outside the scope of [^a-zA-Z0-9 ] .

Later I will show you how to filter member privs...

Edited by veedeoo: more info added

0

If you downloaded the file before this post, you must donwload it again. I just made an update..

Update 2 Detail:

  1. Remove the restriction on password, so that the password generator can be use.

Safety issues on password?
1. Since the password is being converted to md5 hash, there will be few chracters or entities can pose harm to the database, the same hashing is used when validating the users password. The original santizing method is still in effect as intended by the original author.

ADDED file:

Here is the access control that will verify if the logded in member is an admin or regular member.

To be recognize by the script as admin, you need to change your privs as 7. The modification defined members privs as 7- admin, 3 - moderator, 1 - regular member. Script validates them as 700, 300, or 100.

Edited by veedeoo: more info added

0

Later on, I will convert the entire script to either Twig or Smarty templating system. Depending on my mood. Twig is easy, so it is more likely to be the candidate. This will provide an additional security, because of the compilation use by smarty.

0

Hi veedeoo, thanks for your answer. I'll test this. In the meanwhile I've edited the javascript validation on the registration form as a workaround. I just have one question for that. How can I make a validation in javascript that allows characters with accents like é or ö ?
I tried first with "alnum_s", but I want to allow characters with accents

1

Hi,

for the accents, we need to make a separate validation function for it.. e.g.

function isItLatin($username) {
$itIs = false;

if (preg_match("/^[\w\d\s.,-]*$/", $username)) {
    $itIs = true;
}

return $itIs;
}

Based on the accented character validation result, we can use different filters e.g. English, or Latin filters. So for instance, we have an accented input in the form, if the function above recognizes it as part of the acceptable characters within bound, then this

$username = preg_replace('/[^a-zA-Z0-9 ]/s', ' ', $_POST['username']);

Will no longer apply or used, but instead we make the script by using the simple validation as included in the class itself

 ## this will allow usage of the accented characters
 $username = trim($_POST['username']);

For the javascript validation for accented characters, you can read more Here, it is pretty much self-explanatory..

Edited by veedeoo: more info added

Votes + Comments
thx
0

thx again. one question tough yet for javascript. wouldn't it be possible to add a regex in the javascript validation part only for the characters I want to allow without allowing < > ?
for example something like

frmvalidator.addValidation("username","regexp=#^[-a-zA-Z*(é|è|à|ê|ê|œ|á|ç|ö|ä|ü)]{1,20}$#","the username should only contain alpha-numeric characters");

I've just tested the above, but it allows me to put < > in the username, so it's not what I want. Why does it allow it with the form?

0

testing it again, it doesn't allow any characters in the username field

0

it works on the javascript side now with

frmvalidator.addValidation("username","regexp=^[A-Za-zéèàêêœáçöäü]{1,20}$",
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.