Zettieee Posted March 4, 2014 Share Posted March 4, 2014 Hey guys. So recently someone I know told me people can have special chars in their usernames. Some of these special chars are offense and shouldn't be allowed. On register you need to add ctype_alnum(); around the username input. Also on username change. Quote Link to comment Share on other sites More sharing options...
rockwood Posted March 4, 2014 Share Posted March 4, 2014 Yes: to avoid having to escape special characters. Lazy programmers will just drop what the user types, straight into the code somewhere and this is what leads to injection attacks. Even if it's not used maliciously, allowing the user to type characters that will conflict somewhere else can be more hassle than necessary. For example, if you decide to create a filesystem directory per user, to store their uploads in, then the username must conform to directory naming rules on that OS (e.g. no \/:*?"<>| on Windows). Once you've avoided clashes like the directory naming one, and stripped out "';% and // to avoid injection attacks, you have removed most punctuation, and "why does someone even need punctuation in their user name"? It was far easier to write a quick regex to validate usernames against [a-zA-Z0-9_] and be done with it, than faff about with figuring out all the possible punctuation that will not clash, or mapping them to other characters in some way. Then, like many things in computing, as soon as enough people start having just letters, numbers and underscores for usernames, and people start making usernames to that spec, it became the de facto standard and self perpetuates! 1 Quote Link to comment Share on other sites More sharing options...
Dave Posted March 4, 2014 Share Posted March 4, 2014 Yes: to avoid having to escape special characters. Lazy programmers will just drop what the user types, straight into the code somewhere and this is what leads to injection attacks. Even if it's not used maliciously, allowing the user to type characters that will conflict somewhere else can be more hassle than necessary. For example, if you decide to create a filesystem directory per user, to store their uploads in, then the username must conform to directory naming rules on that OS (e.g. no \/:*?"<>| on Windows). Once you've avoided clashes like the directory naming one, and stripped out "';% and // to avoid injection attacks, you have removed most punctuation, and "why does someone even need punctuation in their user name"? It was far easier to write a quick regex to validate usernames against [a-zA-Z0-9_] and be done with it, than faff about with figuring out all the possible punctuation that will not clash, or mapping them to other characters in some way. Then, like many things in computing, as soon as enough people start having just letters, numbers and underscores for usernames, and people start making usernames to that spec, it became the de facto standard and self perpetuates! Source: http://stackoverflow.com/questions/2053335/what-should-be-the-valid-characters-in-usernames#7875696 If you're going to steal other peoples posts on other sites, at least have the decency to attribute the original source. Quote Link to comment Share on other sites More sharing options...
Guest Posted March 4, 2014 Share Posted March 4, 2014 Yes: to avoid having to escape special characters. Lazy programmers will just drop what the user types, straight into the code somewhere and this is what leads to injection attacks. Even if it's not used maliciously, allowing the user to type characters that will conflict somewhere else can be more hassle than necessary. For example, if you decide to create a filesystem directory per user, to store their uploads in, then the username must conform to directory naming rules on that OS (e.g. no \/:*?"<>| on Windows). Once you've avoided clashes like the directory naming one, and stripped out "';% and // to avoid injection attacks, you have removed most punctuation, and "why does someone even need punctuation in their user name"? It was far easier to write a quick regex to validate usernames against [a-zA-Z0-9_] and be done with it, than faff about with figuring out all the possible punctuation that will not clash, or mapping them to other characters in some way. Then, like many things in computing, as soon as enough people start having just letters, numbers and underscores for usernames, and people start making usernames to that spec, it became the de facto standard and self perpetuates! This is totally irrelavant, this has nothing to do with injection or attacks, just simply offensive names. Quote Link to comment Share on other sites More sharing options...
Zettieee Posted March 4, 2014 Author Share Posted March 4, 2014 (edited) You can avoid injection in usernames simply by using ctype_*. But my point was to get rid of offensive chars. PS:Does anyone know any other exploits/bugs in mccodes(v2)? Edited March 4, 2014 by Zettieee Quote Link to comment Share on other sites More sharing options...
sniko Posted March 4, 2014 Share Posted March 4, 2014 You can avoid injection in usernames simply by using ctype_*. But my point was to get rid of offensive chars. PS:Does anyone know any other exploits/bugs in mccodes(v2)? Yes. Plus, http://teachthe.net/?cat=59 Quote Link to comment Share on other sites More sharing options...
Guest Posted March 4, 2014 Share Posted March 4, 2014 Yes. Plus, http://teachthe.net/?cat=59 They should have been fixed I would have thought? Quote Link to comment Share on other sites More sharing options...
sniko Posted March 4, 2014 Share Posted March 4, 2014 They should have been fixed I would have thought? On already established run-by-people-who-don't-care games? I think not. Oh, and don't forget the illegal run games, who have v2 from release day, and can't upgrade - assuming new source isn't "leaked", which I think it is. Quote Link to comment Share on other sites More sharing options...
Zettieee Posted March 4, 2014 Author Share Posted March 4, 2014 I have a v2 license but it's held by Zypher who has vanished :( And thnaks sniko Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.