Ajax Registration SQL/PHP Injection
- luizgolin
-
Topic Author
- Offline
- New Member
-
Less
More
- Thank you received: 0
15 years 1 month ago #4942
by luizgolin
Hi there Amir,
First of all I'd like to say that the AJAX Registration component is really nice, and so far it has been a great purchase.
However, I haven't read anywhere about its protection against SQL/PHP injections. I noticed that the AJAX verification for username currently accepts characters such as SPACE or special characters like " '$ * @ , . { [ } ] : / \ | + = - ! ? ^ and latin characters such as áãâàçñ etc...
I understand these characters might not influence direct injections, however they can bring conflicts and issues on further extensions that might want to use the user details. Currently, I can register a username as 'blank+blank+blank' or even '?!^'.
Would there be a way (hack) to limit these characters at least in the username field? Or perhaps just add a preg_replace somehwere?
Many thanks!!
Cheers,
Luiz
First of all I'd like to say that the AJAX Registration component is really nice, and so far it has been a great purchase.
However, I haven't read anywhere about its protection against SQL/PHP injections. I noticed that the AJAX verification for username currently accepts characters such as SPACE or special characters like " '$ * @ , . { [ } ] : / \ | + = - ! ? ^ and latin characters such as áãâàçñ etc...
I understand these characters might not influence direct injections, however they can bring conflicts and issues on further extensions that might want to use the user details. Currently, I can register a username as 'blank+blank+blank' or even '?!^'.
Would there be a way (hack) to limit these characters at least in the username field? Or perhaps just add a preg_replace somehwere?
Many thanks!!
Cheers,
Luiz
Please Log in or Create an account to join the conversation.
- Saka
-
- Offline
- Administrator
-
15 years 1 month ago #4943
by Saka
Emir Sakic
www.sakic.net
Hello,
AJAX Register uses Joomla's own registration routine. You can register a username like '?!^' with native Joomla registration component as well, when AJAX Register is not installed.
Sure it may be a good feature to block certain characters for username registration in component configuration for the future.
AJAX Register uses Joomla's own registration routine. You can register a username like '?!^' with native Joomla registration component as well, when AJAX Register is not installed.
Sure it may be a good feature to block certain characters for username registration in component configuration for the future.
Emir Sakic
www.sakic.net
Please Log in or Create an account to join the conversation.
- luizgolin
-
Topic Author
- Offline
- New Member
-
Less
More
- Thank you received: 0
15 years 1 month ago #4944
by luizgolin
Hi Saka, and thanks for your quick reply!
Would you suggest any specific place in the AJAX Registration files where we could try to modify it ourselves to implement this?
Thanks once again,
Luiz
Would you suggest any specific place in the AJAX Registration files where we could try to modify it ourselves to implement this?
Thanks once again,
Luiz
Please Log in or Create an account to join the conversation.
- Saka
-
- Offline
- Administrator
-
15 years 1 month ago #4945
by Saka
Emir Sakic
www.sakic.net
Yes, in the User controller (controller.php), register_save() method.
Emir Sakic
www.sakic.net
Please Log in or Create an account to join the conversation.
- luizgolin
-
Topic Author
- Offline
- New Member
-
Less
More
- Thank you received: 0
15 years 1 month ago #4946
by luizgolin
Thanks a lot, Emir!
Luiz
Luiz
Please Log in or Create an account to join the conversation.