Bug #1438

Create account not working in client

Added by Botanic over 6 years ago. Updated over 6 years ago.

Status:New Start date:03/01/2012
Priority:Normal Due date:
Assignee:sfb % Done:

0%

Category:Client: General
Target version:Version 0.9.0

Description

It hangs the client attached is a patch that adds php files that make it work when they are used as the CreateAccountURL.

1874.patch - php scripts (23 kB) Magnifier Botanic, 03/01/2012 08:45 am

1875.patch (6.9 kB) Magnifier Botanic, 03/01/2012 09:02 am

History

#1 Updated by Botanic over 6 years ago

need this patch as well for css and removal of redundant function

#2 Updated by kaetemi over 6 years ago

I don't like the hardcoded values. :)

#3 Updated by sfb over 6 years ago

  • Assignee changed from Botanic to sfb
  • Target version set to Version 0.9.0

I'll take this and remove the hard coding.

#4 Updated by nimetu over 6 years ago

1874.patch has possible sql injection in createUser() from $email field.

$email is checked with validEmail() and allows email like ["\'; SQL"@example.com] (this actually should be valid email address)
there should be line [$email=mysql_real_escape_string($email);] just before sql $query is created.

$login is checked with checkUser() to only allow alpha-numeric chars and is safe to use.

... also checkUser() and checkEmail() both return 'success' when the actual field is not set.

#5 Updated by Botanic over 6 years ago

while this obviously has issues, I more mean it to be a demonstration on how to do it, we need to build this into web services anyways....

Also available in: Atom PDF