Author Topic: Please remove Special Characters from your usernames. (Read 7350 times)

ZacharyCohn · « **on:** February 19, 2009, 03:24:29 PM »

Please remove all special characters from your usernames. If you have certain ones in your username, it prevents people from PMing you. Special characters are any non alpha-numeric character. (That means letters and numbers are okay, nothing else is).

If you want to use your name and your handle, you have the ability to modify your own title. My title says "Happydud" because that was my old handle. I strongly suggest you either make your username your name OR your handle, not both. It leads to long, confusing, annoying, and potentially disruptive usernames.

Thank you.

Andy Animus Tran · « **Reply #1 on:** February 19, 2009, 03:25:41 PM »

There really should be a filter on that. You'd think that the people who programmed the forum would've noticed such a blatant bug, eh?

Leon Mederos · « **Reply #2 on:** February 19, 2009, 03:42:46 PM »

You would think, and I had hoped they would have patched it, but nien.

Alec Furtado · « **Reply #3 on:** February 19, 2009, 08:47:01 PM »

Well you can add " and ' as reserve names on the Set Reserve Names page of the Registration section of the admin panel (EDIT: oh and have "Match whole name only" unchecked). However, users can still change their display names to include ' and " unless you disable that. I wrote a hack to test against it but for some reason it's just not working. I guess I'll have to look into it a little further. If you wanna see, name crap is tested from profile change input in Sources/Profile.php starting on line 704. I added the sequence

Code: [Select]

elseif (strpos($_POST['realName'], '"') !== false)
	$post_errors[] = 'bad_name';

Before the first else (ln711) within the if block. It should test if the string '"' (the doublequote) exists anywhere in the posted value. If it exists strpos() outputs the position of '"' inside the string. Otherwise it's false (and the expression should be executed). "bad_name" is just the entry of an error message in the language files. Not sure why it doesn't like it unless it is confused testing for '"'?

I gotta get back to homework lol.

ZacharyCohn · « **Reply #4 on:** February 19, 2009, 11:38:08 PM »

For everyone else, the error is similar to how a SQL injection works.

A) Someone's name is: John 'Jack' Jerry

B) Using your example as a reference, a line of code might look something like:

Code: [Select]

if (strpos($_POST['userName'])
C) What the computer sees is this:

Code: [Select]

if (strpos($_POST['John 'Jack' Jerry']
D) So what happens is that the computer sees everything in between the single quotes as what it's looking for. So it ends up looking for "John " and " Jerry", and then depending on the language Jack does... something or nothing. So it basically tries to send a PM to John and Jerry, but not John 'Jack' Jerry.

Shamas · « **Reply #5 on:** February 20, 2009, 08:12:37 AM »

I didn't even notice that. Heh heh. Good catch (I didn't have characters in my name)

ZacharyCohn · « **Reply #6 on:** February 21, 2009, 10:13:27 AM »

Actually if you guys could help spread this message, I'd really appreciate it. If someone with special characters posts in a thread, just forward them to this thread. Don't go overboard, and only one person has to do it (We don't need ten people telling one person to remove special characters), but it'd help.

If you want to go to their profile and send them an email, that'd be good too, to make sure they see it.

Thanks.

Alec Furtado · « **Reply #7 on:** February 21, 2009, 10:30:55 AM »

Will do.

Shamas · « **Reply #8 on:** February 21, 2009, 12:19:01 PM »

No problem.

Derik (QuikSilva) DaSilva · « **Reply #9 on:** June 12, 2009, 09:17:56 PM »

But parenthesis are fine, right?

ZacharyCohn · « **Reply #10 on:** June 12, 2009, 09:44:28 PM »

Prefer not. We're probably going to be upgrading the forum software soon to disable non alphanumeric.. so you should just change it now.

Alec Furtado · « **Reply #11 on:** June 13, 2009, 02:19:39 PM »

Funny how this is still v1.1.5... they have 1.1.9 now

While you're at it, can you please consider Auto-embed? It has support for over 200 media sites. Just upload the .zip and it's installed. Veerryy simple and very easy.

ZacharyCohn · « **Reply #12 on:** June 13, 2009, 04:00:43 PM »

We're in the process of updating all the components of APK. It just takes time.

(Also, one reason we've held off updating the forums is that we need a special bridge between joomla and smf so the users are shared between APK and the forums. Working on that..)

Nathanael Shermett · « **Reply #13 on:** July 07, 2009, 03:41:51 PM »

Quote from: Zachary Cohn on February 19, 2009, 11:38:08 PM

For everyone else, the error is similar to how a SQL injection works.

A) Someone's name is: John 'Jack' Jerry

B) Using your example as a reference, a line of code might look something like:
Code: [Select]
if (strpos($_POST['userName'])
C) What the computer sees is this:
Code: [Select]
if (strpos($_POST['John 'Jack' Jerry']
D) So what happens is that the computer sees everything in between the single quotes as what it's looking for. So it ends up looking for "John " and " Jerry", and then depending on the language Jack does... something or nothing. So it basically tries to send a PM to John and Jerry, but not John 'Jack' Jerry.

Actually, no. I don't mean to burst your bubble (I thought along the same lines for quite a while) but that only works with SQL. PHP has security against that, and you'll be perfectly fine with a username such as "John 'Jack' Jerry".

Why?
MySQL is its own software based on PHP and other programming languages. It is built into the program, so it has to accept the programs' limitations.

PHP doesn't interpret if (strpos($_POST['John 'Jack' Jerry'])) like that. Instead, it sees it as if function strpos() returns true on on the $_POST variable which is equal to John 'Jack' Jerry, do whatever

MySQL, on the other hand, can't work that way. MySQL is based on queries. If you wrote the above code into a PHP script, you'd have problems, but user input won't mess anything up. In MySQL user input IS the script, so you WILL have issues.

Hope that makes sense.

If you want my input, I think limiting some special characters is a fine idea, but you should allow quotes, underscores, hyphens, and maybe even !@#$%^&*()_+, as they are accessible on nearly all keyboards.

ZacharyCohn · « **Reply #14 on:** July 07, 2009, 07:42:56 PM »

Well, there's something going on then. Sending a PM to user: James "Jim" Kirk will result in an error. I don't remember exactly what it is, but it has to do with the quotations, I may have posted it earlier in the thread.

Nathanael Shermett · « **Reply #15 on:** July 11, 2009, 11:15:01 AM »

That's weird... it shouldn't do that. Are you using the built-in SMF PM system, or something modified on another part of the site?

Alec Furtado · « **Reply #16 on:** July 11, 2009, 11:41:58 AM »

But it is still "similar to how a SQL injection works."

Depending on what they are using as the string delimiters, either ' or " may screw things up. What you could do is replace those with their respective character codes (""" and "&lsquot;" / "&rsquot;")

Nathanael Shermett · « **Reply #17 on:** July 12, 2009, 10:00:27 PM »

Yeah, quotations marks can jack things up... but I'm just saying things like & and ] can't. What's weird, though, is that the error is showing up. SMF forums are extremely stable AND secure. Makes no sense to me.

Oh well.

A-SkyfiOriginal · « **Reply #18 on:** July 14, 2009, 07:28:09 PM »

Question, see my name everywere is A-SkyfiOriginal here it is ASkyfiOriginal
If I change it to A-SkyfiOriginal will that count as a special charater?

Alec Furtado · « **Reply #19 on:** July 15, 2009, 07:32:46 PM »

No, that shouldn't cause a problem with the process.

News:

Author Topic: Please remove Special Characters from your usernames. (Read 7350 times)