Registration Validation?

[Kyttias]

I'd also like to remind anyone reading that it was complained on VPL that there wasn't enough verification going on to prevent script injection. I've added gender to the 'registervalidator' class so no one right click on a page, open up the html editor, change their gender to ballerina or some other arbitrary thing and hit submit. Such a change would, in fact, go through. Checking for predefined data is important during validation.

And while changing one's gender is harmless enough, can I get confirmation that data is, before even hitting the 'registervalidator' class, being run through something like this:

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

Notice I recommend htmlspecialchars(), not htmlentities()! If your site is UTF8 encoded, special symbols like ¡™£¢∞§¶ get turned into little black diamonds with question marks in them because htmlentities() doesn't know how to handle them, but htmlspecialchars() does.

It's worth noting that, for things like the profile 'bio' field, you can also run htmlspecialchars_decode() before displaying the data: meaning, the information was stored in the database with html characters encoded will translate those encoded characters back to html before posting, thus allowing users to do a little formatting. From there I'd run strip_tags() to weed all but only a certain set of allowed html. I haven't attempted to implement this yet, but does it sound feasible?

Also, currently on the registration page it is only requested that users created appropriate usernames and passwords, but nothing ever prevents users from having symbols in their name, or demands that users have strong passwords. I added in some extra validation for usernames and passwords, by modifying these two functions in the 'registervalidator' class:

  Spoiler: changes to class_registervalidator 

  protected function usernamevalidate($username = ""){
  // The username validator, note its a bit complicate here due to the different mechanism of username check for register and other validators
    $lang = Registry::get("lang");
	  if(!$this->emptyvalidate($username)){
      $this->seterror("The field Username is Empty.");
      return FALSE;
    }
    $regex = '/\d*[a-zA-Z][a-zA-Z\d]{2,20}/';
    if(!$this->matchvalidate($regex, $this->value['password'], "preg_match")){
      $this->seterror("A username may ONLY contain letters and numbers, must be between between 3 and 20 characters long, and may not entirely be made of only numbers.");
      return FALSE;
    }    
	  $username = (empty($username))?$this->value['username']:$username;	  
	  $userexist = $this->datavalidate("users", array("username"), "username = '{$username}'");
	  if($userexist == TRUE){
      $this->seterror($lang->user);
      return FALSE;
    }
    else return TRUE;
  }

and also

  protected function passwordvalidate($password = ""){ 
    $mysidia = Registry::get("mysidia");
    $regex = '/([a-zA-Z0-9!@#$%^&*+=\-\_]{5,20})/';
    if(!$this->emptyvalidate($this->value['password'])){
      $this->seterror("The field Password is empty.");
      return FALSE;
    } 
    elseif(!$this->matchvalidate($regex, $this->value['password'], "preg_match")){
      $this->seterror("A password must be between 6 and 20 characters long, and may ONLY contain letters, numbers and these symbols: !@#$%^&*+=-_");
      return FALSE;
    }
    elseif(!$this->emptyvalidate($mysidia->input->post("pass2"))){
      $this->seterror("The field Confirmed Password is Empty.");
    }
    elseif(!$this->matchvalidate($this->value['password'], $mysidia->input->post("pass2"))){
      $this->seterror($mysidia->lang->match);
      return FALSE;
    }
    else return TRUE;
  }

Now the validator will:

• Check that a new username DOES in fact ONLY contain letters and numbers, is between between 3 and 20 characters long, and is not entirely made of only numbers.
• Check that a password ONLY contain letters, numbers and symbols, and be between 6 and 20 characters long. The accepted symbols are: !@#$%^&*+=-_

So, anyway, the purpose of this thread was to ask what all is being done to validate user input? Not only at registration, but anywhere a profile can be updated as well? I'm only asking for peace of mind.

 

[Hall of Famer]

Well yeah, the script does lack validation for certain pages. Some forms such as breeding and pound are extensively validated, but others are only partially. This is the inconsistency I plan to work on for Mys v1.4.0, which will have a new and much more powerful validation system.

I honestly dont quite agree with the example on gender though, since I cannot see the benefits of changing your own gender to 'ballerina'. It will break your user profile, but it wont even bring harms to other users, do hackers actually enjoy such meaningless things? The avatar though, is a rather serious issue(which may lead to XSS) and I'd see if theres a way to post a patch at bug tracker to resolve it.