Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Author Topic: Allowing spaces in admin username?  (Read 180 times)

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Allowing spaces in admin username?
« on: February 19, 2013, 02:33:39 PM »

I'm trying to fool sNews into allowing spaces in the admin username, so it could be for example John Woo, just for fun. Have experimented a little with this (which is a copy from comments, and doesn't work, obviously)
Code: [Select]
$user = preg_replace('/[^\p{L}\p{N}_\s-]/u', '', $user);
$user = checkUserPass($_POST['uname']);
$pass = checkUserPass($_POST['pass']);
unset($_POST['uname'],$_POST['pass']);

I've also tried tinkering with checkUserPass, but not getting anywhere. All I get is the "outside character length" error message. This is of course no surprise, given it's me attempting it.

Does anyone know what to do here? If so, I'd be glad to hear it.

Ta-ta for now.
Logged

sibas

  • Sr. Member
  • ****
  • Karma: 23
  • Posts: 451
    • www.simply4all.net
Re: Allowing spaces in admin username?
« Reply #1 on: February 19, 2013, 07:59:46 PM »

Let me understand, in db the $user do you have "John Woo" or "JohnWoo"?
if is "JohnWoo" in db you must change preg_replace to '/[^a-zA-Z0-9_\s-]/', so the space will remove it..

I put the wrong preg_replace this is the right '/[^\p{L}\p{N}]/u'
« Last Edit: February 19, 2013, 08:04:46 PM by sibas »
Logged

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: Allowing spaces in admin username?
« Reply #2 on: February 19, 2013, 09:34:47 PM »

Currently the username (for admin login) cannot have spaces, so the best it can be is "JohnWoo". What I'd like to do is allow users to write the admin login username as, for example, "John Woo".

preg_replace '/[^\p{L}\p{N}]/u' doesn't work, it's what I tried before. Using your other suggestion also produces
Quote
Error
Passwords are outside length limit or do not match

Problem is I can't really see any other place to try and get the preg_replace in either, since checkUserPass checks both uname and pass in one go and the password probably shouldn't have spaces...

/* LATER... */
So I guess the "problem" is with checkUserPass, or rather the
if (ctype_alnum($output) === true... part of checkUserPass. Reading up on if/how to circumvent that now.

/* AGAIN LATER... */
Just thinking... (dangerous move, I know) if I remove ctype_alnum($option) === true altogether, if we just do if(strlen($output) > n && strlen($output) < nn { return $output; } else { swampgas; } then ... username = for example John Woo is good.

Now, more dangerous moves, since $output is cleaned and strip_tags'ed already, should this not be safe enough? Or am I sincerely offside here?
« Last Edit: February 20, 2013, 02:46:10 AM by Fred K »
Logged

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: Allowing spaces in admin username?
« Reply #3 on: February 20, 2013, 03:27:16 AM »

Here's where I've ended up, if anyone's interested in trying it out:
Code: [Select]
<?php
// USER/PASS CHECK (MODIFIED, NOT SURE IF SAFE ENOUGH!!)
function checkUserPass($input) {
    
$output clean(cleanXSS($input));
    
$output strip_tags($output);
    if (!
preg_match('/^[a-zA-z0-9_\s-]/'$output) && strlen($output) < && strlen($output) > 128) {
        return 
null;
    } else {
        return 
$output;
    }
}
?>

This configuration allows for alphanumeric characters and spaces (a-z,A-Z,0-9,-_ ), minimum 6 and maximum 128 characters in both name and password. The inclusion of spaces and larger number of characters span should *theoretically* increase base security, but sure I am not can be. ;)
In other words, username can be John Woo. Or Paul Cezanne_2. But not crême Brulée.
Only tested locally in a MAMP (PHP5/MySQL5) environment, but it works there.

Why flip the if-else order? Thanks for asking. Because I read somewhere that this makes the check a little faster. Which can only be good, expecially if you opt for a looooooooong password or uname.

Anyhoo, I know nothing about safety but I think this could work alright.
Logged

nukpana

  • Hero Member
  • *****
  • Karma: 71
  • Posts: 663
Re: Allowing spaces in admin username?
« Reply #4 on: February 21, 2013, 11:25:54 AM »

Fred, not really reading the whole thread, I would use 2 functions instead of one - to check the username and to check the password.  I say that because the username becomes reusable in other areas such as comments, or modifying the user name. In addition, your requirements for the password may change, and it would be easier if the functionality was separate.
Logged

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: Allowing spaces in admin username?
« Reply #5 on: February 21, 2013, 03:11:28 PM »

Fred, not really reading the whole thread, I would use 2 functions instead of one - to check the username and to check the password.

Yeah, no, you're absolutely right. This was more an exercise in reworking the existing check in as simple a fashion as possible, given my PHP dumbness, and getting it to work. That aside, username and password would be better off as two entities (as far as checking goes), yes. Anyway, I learned a bunch - not the least that preg_match (as well as preg_replace) is way faster than ctype_alnum. Faster is good-er, no? ;)

Reading the whole thread isn't mandatory btw, just the OP and my comment just before yours. :D
« Last Edit: February 21, 2013, 03:15:28 PM by Fred K »
Logged