SYSTEM User glitch - Mysidia Adoptables Support Forum

Home Community Mys-Script Creative Off-Topic

		Mysidia Adoptables Support Forum > Projects > The Bug Tracker > Bug
SYSTEM User glitch

SYSTEM User glitch	Issue Tools

12-20-2014 11:18 AM

Hall of Famer Hall of Famer is offline

Administrator, Lead Coder

SYSTEM User glitch

Bug with user possibly registering with username as 'SYSTEM'

Lately Kyttias was asking me a question on what would happen to pouned adoptables if a malicious user registers with the username 'SYSTEM'. I tested it on my demo site and the result was not pleasant, the user would take over all owned adoptables as his/her own, although the pound center still work normally so this user is always in danger of losing his/her adoptables to others.

A fix can be done by adding these lines below line 31 in file classes/class_registervalidator.php

PHP Code:


			
      if($username == "SYSTEM"){
         $this->seterror("Cannot use SYSTEM as username.");
         return FALSE;
      }

If you have never modified this file, download the attachment will solve the problem for you quickly and easily.

Issue Details
Issue Type Bug Project The Bug Tracker Category Unknown Status Fixed Priority 3 Affected Version Mys v1.3.4 Fixed Version Mys v1.4.0 Users able to reproduce bug 0 Users unable to reproduce bug 0 Attachments 1 Assigned Users Hall of Famer Tags (none)

01-13-2015 10:12 PM

MikiHeart MikiHeart is offline

Premium Member

I think this should be implanted but with more options. To rule our usernames like "admin" or "staff" or anything that could be misleading and users could use to attempt to scam other users.

Kind of like a 'disallowed' usernames kinda thing.

01-16-2015 11:11 AM

Kyttias Kyttias is offline

Premium Member

01-17-2015 03:02 AM

MikiHeart MikiHeart is offline

Premium Member

I agree. I think it's the same sorta thing. Also, you replied to the wrong thread XD

03-09-2015 02:03 PM

CallumCharlton CallumCharlton is offline

Member

Is it possible to adapt this so that is does include usernames such as 'Admin', 'Staff', 'Owner', 'Moderator' and 'Error'? As previously stated, this could lead to some unethical practices haha :)

03-10-2015 01:43 PM

IntoRain IntoRain is offline

Moderator

Yeah, you can add a series of "if(username == "name_you_dont_want")" in the same format. I prefer putting all forbidden names (in uppercase) in an array and checking if the username is in that array. Like:

PHP Code:


			
$forbidden_names = array("SYSTEM", "ADMIN", "STAFF", "OWNER", "MODERATOR", "ERROR");



if(in_array(strtoupper($username), $forbidden_names)){

         $this->seterror("Cannot use '$username' as username.");

         return FALSE;

}

01-06-2017 07:32 AM

~~Silver_Brick~~ Silver_Brick is offline

Designer || Coder

do not joke hof it is not fixed that system username is still bugging me so help me out i can show the screenshot and here is my register validation

PHP Code:


			
<?php



class RegisterValidator extends UserValidator{

  // The register validator for user and usergroup system

    

  public function __construct(User $user, $value = array(), $action = ""){      

      parent::__construct($user, $value, $action);

  }

  

  public function validate($action = "", $data = ""){

      // The core method validate, it acts like a controller and sends requests to different private methods based on the action

    

      $validarray = array("username", "password", "email", "birthday", "ip", "tos", "answer");

      

      // For RegisterValidator, the validator methods will be executed all at once

      foreach($this->value as $key => $var){

         $method = "{$key}validate";

         if(in_array($key, $validarray)) $this->$method($var);

         else throw new Exception('Validation action invalid...');



         if(!empty($this->error)) return FALSE;

      }

  }

    

  protected function usernamevalidate($username = ""){

      // The username validator, note its a bit complicate here due to the different mechanism of username check for register and other validators

      $lang = Registry::get("lang");

      if(!$this->emptyvalidate($username)){

         $this->seterror("The field Username is Empty.");

         return FALSE;

      }  

      if($username == "SYSTEM"){

         $this->seterror("Cannot use SYSTEM as username.");

         return FALSE;

      }

      $username = (empty($username))?$this->value['username']:$username;      

      $userexist = $this->datavalidate("users", array("username"), "username = '{$username}'");

      if($userexist == TRUE){

         $this->seterror($lang->user);

         return FALSE;

      }

      else return TRUE;

  }

  

  protected function passwordvalidate($password = ""){ 

      $mysidia = Registry::get("mysidia");  

      if(!$this->emptyvalidate($this->value['password'])){

         $this->seterror("The field Password is empty.");

         return FALSE;   

      }

      elseif(!$this->emptyvalidate($mysidia->input->post("pass2"))){

         $this->seterror("The field Confirmed Password is Empty.");

      }

      elseif(!$this->matchvalidate($this->value['password'], $mysidia->input->post("pass2"))){

         $this->seterror($mysidia->lang->match);

         return FALSE;

      }

      else return TRUE;

  }



  protected function emailvalidate($email = ""){

      $lang = Registry::get("lang");

      $email = (empty($email))?$this->value['email']:$email;    

      $this->emptyvalidate($email);

      $regex = '/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i';

      if(!$this->matchvalidate($regex, $email, "preg_match")){

         $this->seterror($lang->email);

         return FALSE;

      }

      else return TRUE;

  }

     

  protected function birthdayvalidate($birthday = ""){

      $lang = Registry::get("lang");

      if(empty($this->value['birthday'])){

         $this->seterror($lang->birthday, TRUE);

         return FALSE;

      }

      else return TRUE;

  }



  protected function answervalidate($answer = ""){

      $mysidia = Registry::get("mysidia");

      if(!$this->matchvalidate($this->value['answer'], $mysidia->settings->securityanswer)){

         $this->seterror($mysidia->lang->question);

         return FALSE;

      }

      else return TRUE;

  }

  

  protected function tosvalidate($tos = ""){

      $lang = Registry::get("lang");

      $tos = (empty($tos))?$this->value['tos']:$tos;

      if($tos != "yes"){

         $this->seterror($lang->tos);

         return FALSE;         

      }

      else return TRUE;

  }

 

}

?>

01-06-2017 09:10 AM

Abronsyth

A Headache Embodied

Silver_Brick, are you saying that someone was able to register with the username System?

01-06-2017 10:34 AM

~~Silver_Brick~~ Silver_Brick is offline

Designer || Coder

no they did not get reigstered but they can adopt pets which are pounded and that makes me very very very very very very very sad sad sad

01-06-2017 10:48 AM

Ittermat

The awesomesauce

System IS The pound....

I thought it was a problem too-

http://mysidiaadoptables.com/forum/s...ead.php?t=5028

01-06-2017 12:15 PM

~~Silver_Brick~~ Silver_Brick is offline

Designer || Coder

Ok got it and its solved i am sorry hof

Issue Tools
Subscribe to this issue
View Changes

Assigned Users
Please Wait

Tags
Please Wait

All times are GMT -5. The time now is 12:05 PM.

Currently Active Users: 784 (0 members and 784 guests)
Threads: 4,081, Posts: 32,029, Members: 2,016
Welcome to our newest members, jolob.

What's New?

What's Hot?

What's Popular?