Bug #1438
Create account not working in client
| Status: | New | Start date: | 03/01/2012 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  sfb |
% Done: | 0% |
|
| Category: | Client: General | |||
| Target version: | Version 0.9.0 |
Description
It hangs the client attached is a patch that adds php files that make it work when they are used as the CreateAccountURL.
1874.patch - php scripts
(23 kB)
1875.patch
(6.9 kB)
History
#1
Updated by Botanic over 3 years ago
- File 1875.patch added
need this patch as well for css and removal of redundant function
#2
Updated by kaetemi over 3 years ago
I don't like the hardcoded values. :)
#3
Updated by sfb about 3 years ago
- Assignee changed from Botanic to sfb
- Target version set to Version 0.9.0
I'll take this and remove the hard coding.
#4
Updated by nimetu about 3 years ago
1874.patch has possible sql injection in createUser() from $email field.
$email is checked with validEmail() and allows email like ["\'; SQL"@example.com] (this actually should be valid email address)
there should be line [$email=mysql_real_escape_string($email);] just before sql $query is created.
$login is checked with checkUser() to only allow alpha-numeric chars and is safe to use.
... also checkUser() and checkEmail() both return 'success' when the actual field is not set.
#5
Updated by Botanic about 3 years ago
while this obviously has issues, I more mean it to be a demonstration on how to do it, we need to build this into web services anyways....