24 replies to this topic

[Cris D.]

File Name: membership_validator
File Submitter: Cris D.
File Submitted: 27 Dec 2007
File Updated: 09 Sep 2009
File Category: Security

2 x Snippets by Cris D. ( member_validator1.0 and member_verifier2.0 )
Date: 2007/12/27
Uses: Allows users of an etomite site to create their own account.
Notes: the account role, permissions and document groups can be set in the snippet
All form fields are validated.
All returned language is abstracted out ready for translation.

UPDATED 2009-09-09
V2.0 membership_verifier has increased security to stop hacking attempts.
For additional security from spam accounts and robots, turn on captcha in the authenticate_visitor snippet.

Warning:
Some of this configuration requires some knowledge of document and group permissions, this can be hazardous if not set properly as you may intentionally give everyone access to everything (including the manager) in your site. Also, as this uses advanced permissions, if your site is set up with simple permissions, you may need to change some snippets to accommodate the new permissions, otherwise you may give the public access to parts of your site that are no longer protected (eg any snippets that rely on API's checkPermissions() or userLoggedIn() will return 'true' regardless of the users role).

If you are new to etomite it is recommended that you start with something easier! But if you are up for the challenge and need help, see the forums for assistance.

Contents of the attached README file:
README for the Membership Validator module
In this zip is an amended membership_validator1.1 snippet with the following changes:

//changelog for 1.1:
//changed the wrapping "<p>" to make the form validate
//added the missing phone validation code and error messages
//added the missing formChunkName so that an external chunk can be used to display the form
//improved the email_switch
//added a sample member_validator_chunk.txt file to use of an external chunk is required.


1) Enable access permissions and visitor permissions in your Etomite manager.
2) Create the new role you want your members to belong to and note the name eg 'automembers'.
3) In permissions, user groups, create a new user group eg 'downloaders'.
4) In permissions, document groups, create a new document group egg 'music'.
5) in permissions, user / document group links, create the document/group link.
6) Copy and paste the contents of the snippet membership_validator into the snippet library.
7) Copy and paste the contents for the snippet membership_verifier into the snippet library.
8) Create a new page where your members will be re-directed on clicking their email link, I suggest putting it
in the repository and 'not show in the menu' for additional security: this is the 'confirmationPage'.
9) Call the snippet membership_verifier in the page and publish it. Take note of the page id.
10) Create and publish a page where your users will create their account, call the snippet membership_validator in it.
11) configure the snippet with the following:
1) Using phpMyAdmin, locate the user role you created earlier in the etomite_user_roles table and locate the id of the role: place it in the snippet config.
2) Set the $tempExpires variable for how long users have to verify their account before the temporary records are
deleted.
3) Set the $confirmationPage page id which will be the page sent in the url in the body of the email with the
verification link.
4) Set the table name that will store your temporary records, and the email address that will appear in the "from"
fields in the validation email.

11) Configure the membership_verifier snippet with the following:
1) Set the id of the page that has your log-in script like 'authenticate_visitor' snippet - (enable captcha for added security).
2) Set the $memberGroup variable to the membergroup name that you set previously in the permissions, user group eg 'downloaders'.
3) Set the tableName to the same name that was used in the membership_validater snippet.
4) Save the snippet changes and your away.

Notes:
If you are testing this by creating test accounts, I have made it hard for surfers to create several accounts, therefore you will also have difficulty. The session username is held in the browser and automatically sent with forms, so you will get a "username and passwords don't match" error if you try to create additional test accounts. You can clear the sessions by
uncommenting
/*
unset($_SESSION['userName']);
unset($_SESSION['firstName']);
unset($_SESSION['lastName']);
unset($_SESSION['email']);
unset($_SESSION['hash']);
*/
, saving the snippet, accessing the page, re-commenting the unsets() and re-saving the snippet. Or clear your browsers sessions via browser tools.



For a live demo, see here.

Click here to download this file

[Ralph]

Cris, if you want to get rid of the {tags} in the form input controls I have some code that will remove them prior to rendering... I place the following code at the bottom of the snippet to remove any orphaned placeholder tags within included parseChunk() result content...

$prefix = "{";
$suffix = "}";
$output = preg_replace("|".$prefix."[^".$suffix."]+".$suffix."|s", "", $output);
return stripslashes($output);

EDIT: Never mind... I see that you are intentionally using those {tags}... Why, I'm not sure... The code above is still nice to keep kicking around in your bag of tricks...

[Cas]

Well this takes away the need for me to adjust my Register snippet. Quite happy to use this which has all of the goodies. The only functional comment is around the phone numbers, it checks for numbers but not for correct phone numbers. Since the latter is almost impossible, I would vote not to validate those fields or simply ignore them in this stage. In my opinion most people would not leave their phone number(land or mobile) behind, more likely ICQ, MSN,Skype.

[Cris D.]

@Ralph

Quote

EDIT: Never mind... I see that you are intentionally using those {tags}... Why, I'm not sure... The code above is still nice to keep kicking around in your bag of tricks...

I was using them so that I could re-use the input form and easily re-display the form values with mereCodeVariables. I tried your $prefix="<!--tag" $suffix="-->" but this does not render invisible inside a form field. Yes, I could have added a preg_replace or substr before re-rendering the form but could have done a lot more to it as well and just wanted to post it so I could get on with business. Thanks for the tip though, it could still work if the logic check for blank fields is amended.
@Cas

Quote

The only functional comment is around the phone numbers, it checks for numbers but not for correct phone numbers. Since the latter is almost impossible, I would vote not to validate those fields or simply ignore them in this stage.

The phone fields check for more than just numbers, it does a regex for the number of numbers in each 'brace' and also checks the length of the numbers and allows spaces (sorry Ralph and Mike, I didn't get your + and () . to pas in the validation, regex drives me spare! So numbers that validate would include 33 333 333 but not 1 55555 1. As usual, my snippets are written for a particular purpose and then abstracted out as much as is easily possible before posting to Etomite to share, I really need phone numbers for my Australian business site. However, there is definitely scope to adapt the snippet to fit your personal use (hence the commenting throughout). If you want to add fields in the form, I have "Where did you find us from" drop down boxes, "Do your want to receive emails from us?" checkboxes, and other things that get saved to additional tables but would have confused the user during the installation of the snippet. Feel free to add them as required and save the info to the relevant table in the marked section of the verifier code.

[Cris D.]

Just ran this through the validator (better late than never), to get it to validate, you will have to remove the <p> enclosing the form by closing it here: from line 49

'intro' => "<p>Registration for membership is a 3 Step process.</p>\n",

and here:

'step1' => "<p><b>Step 1</b> | Step 2 | Step 3 </p>",
'step2' => "<p>Step 1 | <b>Step 2</b> | Step 3 </p>",

and remove the closing tag at the end the form: line 332

$output .="</form></p>";

Edited by Cris D., 27 December 2007 - 08:32 PM.

[Ralph]

Cris D., on Dec 27 2007, 02:54 PM, said:

(sorry Ralph and Mike, I didn't get your + and () . to pas in the validation, regex drives me spare! So numbers that validate would include 33 333 333 but not 1 55555 1. As usual, my snippets are written for a particular purpose and then abstracted out as much as is easily possible before posting to Etomite to share, I really need phone numbers for my Australian business site. However, there is definitely scope to adapt the snippet to fit your personal use (hence the commenting throughout)

I use the Tigra Form Validators "phone" format for client side validation and the server side can be made to work almost the same way... I understand that most snippets are written for an intended purpose and that they can almost never be written to accomodate 100% of all situations... A good solid base from which to work is far better than starting from scratch, that is for sure... Your efforts are definitely appreciated by the membership and I'm sure that individual customizations can be plugged in as needed...

[Cris D.]

As per my M.O. I have made a hash of the submission, accidentally submitting an older version...
I have resubmitted it with the following changes that I accidentally left off...

//changelog for 1.1:
//changed the wrapping "<p>" to make the form validate
//added the missing phone validation code and error messages
//added the missing formChunkName config and logic so that an external chunk can be used to display the form
//improved the email_switch so that it works
//added a member_validator_chunk.txt file to use as an example if an external chunk is required to create the form with.

apart from that, the zip is basically the same....

[PaulD]

Hi Cris.D,

Just wanted to say how much I love this snippet. I used it once ages ago on a site I never finished (got bored of the whole idea) but have just installed it on a new site I am building. It worked perfectly, your instructions were perfect, and the functionality is fantastic!

I love this snippett(s).

Thank you again!

Paul.

PS It is nowhere near as complicated to install as it looks when you first read the instructions.

[Opal]

I've been using this snippet without issue for a few months on a live site. It's great!
But we've noticed recently when perusing the users that some that look suspiciously like bots are getting into the system, which was a big surprise to me, given the 3-step process. Has anyone had this happen, or have suggestions for curbing it?

[Cris D.]

Opal, on 14 July 2009 - 12:29 PM, said:

I've been using this snippet without issue for a few months on a live site. It's great!
But we've noticed recently when perusing the users that some that look suspiciously like bots are getting into the system, which was a big surprise to me, given the 3-step process. Has anyone had this happen, or have suggestions for curbing it?

That's interesting. Can you PM me some specifics and I'll look into it. I have this live an another site and have had no problems, but if it is letting bots through, I may be able to integrate captcha and also collect any additional info and email it to the site owner to check or provide an end-user interface to accept memberships (or not). If you give me as much as you can I wil investigate it (I want mine to be bullet proof as well).

[Cris D.]

I have updated this snippet (just the membership_verifier part) to fix a security flaw. If you have this on your site and it is V1.1, I suggest that you get the update and use it as a matter or priority.

I have had a look at how robots can create accounts, and the only way I can see them being stopped is with the use of captcha. This can be integrated into the snippet, but seeing that it is written to work with authenticate_visitor, it's easiest to enable captcha on that snippet. This will stop robots from verifying the account and therefore stopping them altogether.

Edited by Cris D., 09 September 2009 - 10:30 AM.

[darren]

2.0 doesn't work in my install - i tried to create a new account with it and only get the error 1 message. I tried unsuccessfully with several email accounts on 2 machines to be sure that i wasn't actually creating accounts with the same email or that it wasn't a browser cache issue... When i role back to 1.1 i can finish creating the account with step 3.



*additions follow...

i should say that this is in a production site that has worked for over a year with the original verification/validation snippets. I also installed the newer version today on my personal site, and can't create accounts there either.

*code sample removed...

Edited by darren, 11 September 2009 - 12:00 PM.

[Cris D.]

Let me guess, you clicked the archived membership_validator_smnippet_2.0 link instead of the "Download File" link at the snippet page. Yeah, I stuffed up and had a brain fart and thought that an MD5 hash contained only numbers, and made it with the is_numeric(). However, as you have discovered, this does not work because an MD5 hash contains numbers and letters. When I realised this (about 1 minute after I updated the file) I fixed it and uploaded another version called- you guessed it membership_validator_smnippet_2.0. Now if you click the archived file- you get the stuffed one but if you click "Download file" you get the good one.

FYI I am using a regex pattern to verify that it is an MD5 hash (32 hexidecimal characters). However, as I have read in blogs, if the md5 hash generator creates a hash that leads with a "0", then it may go back to 31 characters and miss the leading zero. I have not written this check into the code and should be the only way the script fails. I thought the chances of it ocurring would be remote. Go for the latest version and you'll be ok.

Good to see someone has upgraded (I think you may be the only one Darren). You obviously care about your site and data

Edited by Cris D., 11 September 2009 - 10:14 PM.

[darren]

OK - didn't realize there was a difference between the 'download' link and the top item in the archived list - glad to see it wasn't just me going crazy.

BTW i've removed the code from my post so it can stay somewhat secret if you remove it from yours...

And thanks for these snippets - they really helped me out on this site.

[Cris D.]

Done. We should work for CIB / FBI /ASIO with this great co-ordinated secrecy. Thanks agent darren (not real name of course).

[Opal]

Yay! Thank you for the update, Cris!

[Wiper2007]

Hi

trying to implement the snippet...

step 1 and 2 are ok ...but when I click on the link in the email adress I'll getting the following:

There is a registration error...this could be because:
1) you have attempted hack the site,
2) you have tried to create another account,
Please register again or contact the webmaster for assistance.

It creates the user in the DB because when I try again - it states that the username and email are already used...

can someone "pinpoint" where I've done wrong?

Edited by Wiper2007, 14 March 2010 - 12:11 AM.

[Cris D.]

I have put a lot of anti-hacking code in. If you cleared your browser sessions and started from scratch with a new user id and unique email you should be OK, otherwise you will have to start commenting out all the security checks in the code to test it to allow duplicate email addresses and multiple confirmations in a single session. It's most likely working correctly, you just need to take a break and re-think your testing strategy.

[Wiper2007]

Hi Chris

Hmmm.. I have now completed step 1 and 2 from my home computer sending a mail to my computer at work ...

So I'll try to confirm the email link from my computer at work like a "normal" user that's trying to register...

Cris D., on 15 March 2010 - 06:22 AM, said:

I have put a lot of anti-hacking code in. If you cleared your browser sessions and started from scratch with a new user id and unique email you should be OK, otherwise you will have to start commenting out all the security checks in the code to test it to allow duplicate email addresses and multiple confirmations in a single session. It's most likely working correctly, you just need to take a break and re-think your testing strategy.

Edited by Wiper2007, 15 March 2010 - 09:56 PM.

[Cris D.]

Wiper2007, on 15 March 2010 - 09:53 PM, said:

Hi Chris

Hmmm.. I have now completed step 1 and 2 from my home computer sending a mail to my computer at work ...

So I'll try to confirm the email link from my computer at work like a "normal" user that's trying to register...

Let us know how you go...