Bug #1438
Create account not working in client
Status: | New | Start date: | 03/01/2012 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | sfb | % Done: | 0% |
|
Category: | Client: General | |||
Target version: | Version 0.9.0 |
Description
It hangs the client attached is a patch that adds php files that make it work when they are used as the CreateAccountURL.
History
#1 Updated by Botanic over 6 years ago
- File 1875.patch added
need this patch as well for css and removal of redundant function
#2 Updated by kaetemi over 6 years ago
I don't like the hardcoded values. :)
#3 Updated by sfb over 6 years ago
- Assignee changed from Botanic to sfb
- Target version set to Version 0.9.0
I'll take this and remove the hard coding.
#4 Updated by nimetu over 6 years ago
1874.patch has possible sql injection in createUser() from $email field.
$email is checked with validEmail() and allows email like ["\'; SQL"@example.com] (this actually should be valid email address)
there should be line [$email=mysql_real_escape_string($email);] just before sql $query is created.
$login is checked with checkUser() to only allow alpha-numeric chars and is safe to use.
... also checkUser() and checkEmail() both return 'success' when the actual field is not set.
#5 Updated by Botanic over 6 years ago
while this obviously has issues, I more mean it to be a demonstration on how to do it, we need to build this into web services anyways....