Secure Names? Please help.

[SteveDave]

Hey guys, I just had someone on my game change their name to C:\Users\aid and their name doesn't show up. Is it possible this person can hack the site by doing this?

Is there any way to now allow certain characters in names or secure this somehow?

(I already searched the forum for similar threads but couldn't find anything..)

[SteveDave]

Re: Secure Names? Please help.

Any help here? If there are some things I have to do to fix this that would require you to make an effort I'll at least throw a couple bucks your way for taking your time to help me.

[Lithium]

Re: Secure Names? Please help.

you can use ctype functions.

http://us.php.net/manual/en/book.ctype.php

[DELETE ME NOW!]

Re: Secure Names? Please help.

Okay here are to i use:

else if (ereg("[^A-Za-z0-9]", $_POST['newname'])) 
{
print "Your name can only contain letters and numbers!

[url='preferences.php?action=namechange']> Back[/url]";
}
else if(strlen($_POST['newname']) >= 20)
{
print "You must have a name that is below 20 characters.

[url='preferences.php?action=namechange']> Back[/url]";
}
else
{
$newUsername = strip_tags($_POST['newname']);
mysql_query("UPDATE `users` SET `username`='".mysql_real_escape_string($newUsername)."' WHERE (`userid` = $userid)", $c);
print "Username changed!";
}

 

That is some of the code i use, but not all.

[POG1]

Re: Secure Names? Please help.

 

function codeClean($var) { return mysql_real_escape_string(htmlentities(trim((get_magic_quotes_gpc())?stripslashes($var):$var))); }

function changeName($userId,$name) {
   if(ctype_alnum($name) AND strlen($name) > 4 AND strlen($name) < 20 AND ctype_digit($userId)) { 
           $result = mysql_query("UPDATE `users` SET `username` = '".codeClean($name)."' WHERE `userid` = '".abs(@intval($userId))."';");
           return ($result == TRUE) ? TRUE : FALSE;
   } else { return FALSE; }
}

 

2 Functions, add the code clean as a global function so you can use it elsewhere and add the change name where ever you want. I haven't tested the name change but it looks as if it will work to me :)

[DELETE ME NOW!]

Re: Secure Names? Please help.

Why abs(@intval userid, userid is all ready a number and cant be changed.

[POG1]

Re: Secure Names? Please help.

1.24 is a number, it wont work well in the database field ;)

You could probably get away without using intval though

[DELETE ME NOW!]

Re: Secure Names? Please help.

 

1.24 is a number, it wont work well in the database field ;)

You could probably get away without using intval though

Yes but, how is a user going to get an userid 1.24 it wont happen lol, it will just go 1,2,3,4,5,6,7,8,9,10,11 ect lol.

[POG1]

Re: Secure Names? Please help.

It's called, using an *in secure script*. I assumed this so thats why its in there, to make something that could possibly cause an error stop an error.

[DELETE ME NOW!]

Re: Secure Names? Please help.

 

It's called, using an *in secure script*. I assumed this so thats why its in there, to make something that could possibly cause an error stop an error.

Hmm true lol

[Isomerizer]

Re: Secure Names? Please help.

 

1.24 is a number, it wont work well in the database field ;)

You could probably get away without using intval though

Yes but, how is a user going to get an userid 1.24 it wont happen lol, it will just go 1,2,3,4,5,6,7,8,9,10,11 ect lol.

$userid = $_SESSION['ID'], right?

So if userid is a session it can be altered. Make sure to validate them sessions!

[Vali]

Re: Secure Names? Please help.

Just use some regular expression on the names: /[a-zA-Z0-9\-_]+/ (Basically a to z, 0 to 9, - and _ are allowed)

If they fail that, then ask the to add a new user name.