| Author |
 Topic  |
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
 Posted - 22 June 2001 : 02:34:32
|
Exactly what I was talking about. If we limit it to certain characters only, there won't be this experimentation.  |
 |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 22 June 2001 : 05:41:31
|
Ok, so how about this: (in register.asp around line #81)
Replace this:
'## Forum_SQL
strSql = "SELECT M_NAME FROM " & strMemberTablePrefix & "MEMBERS "
strSql = strSql & " WHERE M_NAME = '" & Trim(Request.Form("Name")) & "'"
with this:
strSpaceChk = Trim(Request.Form("Name"))
strSpaceChk = Replace(strSpaceChk, "ALT+0160", " ", 1, -1, 1)
strSpaceChk = Replace(strSpaceChk, "ALT+160", " ", 1, -1, 1)
strSpaceChk = Replace(strSpaceChk, " ", " ", 1, -1, 1)
'## Forum_SQL
strSql = "SELECT M_NAME FROM " & strMemberTablePrefix & "MEMBERS "
strSql = strSql & " WHERE M_NAME = '" & strSpaceChk & "'" |
|
|
|
n/a
deleted
1 Posts |
Posted - 22 June 2001 : 06:26:18
|
I think it isn't the real solution. You must also prevent using characters starting with &#
For example "&#[72]uwr" (without[])is shown as Huwr.
Burak Tuyan aka eLeVeN
|
|
|
|
tilttek
Junior Member
Canada
333 Posts |
Posted - 22 June 2001 : 10:26:29
|
quote:
I think we should only allow A-Z, a-z and 0-9 as valid characters. By only allowing certain characters, I think it would provide a more secure product. Either that or we have to add a test in for everything new that someone comes up with. Such as the double space and the ALT+160 as shown above. There are probably many, many more mischievious things people can try in there username, we just haven't seen them yet.
I this it's the best solution... But you should add :
[space] (only one)
-
_
and some accent: êëèéâäàáçïîìíóüôöòûùúñÿ
They might be some other, so maybe doing a list!
No <> &
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com |
|
|
|
eleven
Starting Member
Turkey
32 Posts |
Posted - 22 June 2001 : 22:29:08
|
quote:
I think we should only allow A-Z, a-z and 0-9 as valid characters. By only allowing certain characters, I think it would provide a more secure product. Either that or we have to add a test in for everything new that someone comes up with. Such as the double space and the ALT+160 as shown above. There are probably many, many more mischievious things people can try in there username, we just haven't seen them yet.
I have it working at my site here: http://kinser.121host.net/v31sr4/default.asp
Ok, I changed my mind. I think allowing the certain chracters is the best way...
But if we should do a list of the "must prevents" things:
1) Do not allow using space character twice or more...
2) Do not allow using space character at the beginning and end of the user name.
3)Do not allow using & character...
4) Do not allow using ; character
5) Do not allow using < > characters
6) Do not allow using forum code
7) Do not allow ALT+0160
8)Do not allow using | (pipe) because it looks like l (L)
9) Do not allow using " (quote)
I think these are eneough.
Burak Tuyan aka eLeVeN
|
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
|
|
eleven
Starting Member
Turkey
32 Posts |
Posted - 23 June 2001 : 10:05:57
|
Hi, I made the modifications (as Richard Kinser and antivitamin wrote before) I wrote above and it works well:
(in register.asp around line #81)
Replace this:
'## Forum_SQL
strSql = "SELECT M_NAME FROM " & strMemberTablePrefix & "MEMBERS "
strSql = strSql & " WHERE M_NAME = '" & Trim(Request.Form("Name")) & "'"
with this:
strSpaceChk = Trim(Request.Form("Name"))
strSpaceChk = Replace(strSpaceChk, "ALT+0160", " ", 1, -1, 1)
strSpaceChk = Replace(strSpaceChk, "ALT+160", " ", 1, -1, 1)
strSpaceChk = Replace(strSpaceChk, " ", " ", 1, -1, 1)
'## Forum_SQL
strSql = "SELECT M_NAME FROM " & strMemberTablePrefix & "MEMBERS "
strSql = strSql & " WHERE M_NAME = '" & strSpaceChk & "'"
(in register.asp around line #100)
Replace this:
if (Instr(Request.Form("Name"), ">") > 0 ) or (Instr(Request.Form("Name"), "<") > 0) then
Err_Msg = Err_Msg & "<li> > and < are not allowed in the UserName, Please Choose Another</li>"
end if
with this:
if (Instr(Request.Form("Name"), ">") > 0 )_
or (Instr(Request.Form("Name"), "<") > 0)_
or (Instr(Request.Form("Name"), ".") > 0)_
or (Instr(Request.Form("Name"), " ") > 0)_
or (Instr(Request.Form("Name"), ",") > 0)_
or (Instr(Request.Form("Name"), ";") > 0)_
or (Instr(Request.Form("Name"), "&") > 0)_
or (Instr(Request.Form("Name"), ",") > 0)_
or (Instr(Request.Form("Name"), "|") > 0)_
or (Instr(Request.Form("Name"), """") > 0) then
Err_Msg = Err_Msg & "<li>The UserName You Choose is not Valid, Please Choose Another UserName</li>"
end if
str = Request.Form("Name")
For a = 1 To Len(str)
If Mid(str, a, 1) = Chr(160) Then
Err_Msg = Err_Msg & "<li>The UserName You Choose is not Valid, Please Choose Another UserName</li>"
End If
Next
I also want to prevent using Forum Code in the UserNames. What is the necesary code? I couldn't succeed to do this!
Thanks...
Burak Tuyan aka eLeVeN |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 25 June 2001 : 12:13:06
|
Could we have a definitive answer on this, I am not sure what fix I am supposed to implement
|
|
|
|
tilttek
Junior Member
Canada
333 Posts |
Posted - 25 June 2001 : 13:02:06
|
quote:
1) Do not allow using space character twice or more...
2) Do not allow using space character at the beginning and end of the user name.
3)Do not allow using & character...
4) Do not allow using ; character
5) Do not allow using < > characters
6) Do not allow using forum code
7) Do not allow ALT+0160
8)Do not allow using | (pipe) because it looks like l (L)
9) Do not allow using " (quote)
Hum, we might miss something... I think ALT-255 can be a problem too.
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 25 June 2001 : 15:20:59
|
| HuwR, check with Mike. I think he wants to limit the characters that can be used instead of testing for every character we don't want used. |
|
|
|
Reinsnitz
Snitz Forums Admin
USA
3545 Posts |
Posted - 26 June 2001 : 12:23:09
|
Richard I agree with you on that.
If we were to pick a set of characters... I would say to figure out what characters are allowed in an email address... and use those... including the @ and . (period)
Reinsnitz (Mike)
><)))'> Need a Mod?
"Therefore go and make disciples of all nations,..." Matthew 28:19a |
|
|
|
tilttek
Junior Member
Canada
333 Posts |
Posted - 26 June 2001 : 12:53:47
|
quote:
If we were to pick a set of characters... I would say to figure out what characters are allowed in an email address... and use those... including the @ and . (period)
Hum, but e-mail are CASE insensitive. Will the username be case insensitive?
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com |
|
|
|
bjlt
Senior Member
1144 Posts |
Posted - 26 June 2001 : 13:01:01
|
quote:
Hum, but e-mail are CASE insensitive. Will the username be case insensitive?
I thought it is now 
|
|
|
|
RDoGG™
Junior Member
USA
329 Posts |
Posted - 26 June 2001 : 16:39:21
|
quote:
quote:
Hum, but e-mail are CASE insensitive. Will the username be case insensitive?
I thought it is now
no it isn't...
i think u should allow the ™ sign
(Alt+0153)
|
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 26 June 2001 : 16:51:31
|
quote:
quote:
If we were to pick a set of characters... I would say to figure out what characters are allowed in an email address... and use those... including the @ and . (period)
Hum, but e-mail are CASE insensitive. Will the username be case insensitive?
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com
Urm, not always, that depends on the email server.
|
|
|
|
Topic |
|
Forum Locked
Topic Locked
