Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

2

[Snippet] membership_validator

Started by Cris D., Dec 27 2007 11:15 AM

Prev

Next

You cannot reply to this topic
Go to first unread post

24 replies to this topic

#16 Opal

Etomite Forum Newbie

Member
23 posts

Posted 03 November 2009 - 02:59 PM

Yay! Thank you for the update, Cris!

Back to top

#17 Wiper2007

Etomite Forum Fan

Member
76 posts

Posted 12 March 2010 - 10:12 PM

Hi

trying to implement the snippet...

step 1 and 2 are ok ...but when I click on the link in the email adress I'll getting the following:

There is a registration error...this could be because:
1) you have attempted hack the site,
2) you have tried to create another account,
Please register again or contact the webmaster for assistance.

It creates the user in the DB because when I try again - it states that the username and email are already used...

can someone "pinpoint" where I've done wrong?

Edited by Wiper2007, 14 March 2010 - 12:11 AM.

Back to top

#18 Cris D.

Loves Etomite Forums!

Developers
1,104 posts

Gender:Male

Posted 15 March 2010 - 06:22 AM

I have put a lot of anti-hacking code in. If you cleared your browser sessions and started from scratch with a new user id and unique email you should be OK, otherwise you will have to start commenting out all the security checks in the code to test it to allow duplicate email addresses and multiple confirmations in a single session. It's most likely working correctly, you just need to take a break and re-think your testing strategy.

Back to top

#19 Wiper2007

Etomite Forum Fan

Member
76 posts

Posted 15 March 2010 - 09:53 PM

Hi Chris

Hmmm.. I have now completed step 1 and 2 from my home computer sending a mail to my computer at work ...

So I'll try to confirm the email link from my computer at work like a "normal" user that's trying to register...

Cris D., on 15 March 2010 - 06:22 AM, said:

I have put a lot of anti-hacking code in. If you cleared your browser sessions and started from scratch with a new user id and unique email you should be OK, otherwise you will have to start commenting out all the security checks in the code to test it to allow duplicate email addresses and multiple confirmations in a single session. It's most likely working correctly, you just need to take a break and re-think your testing strategy.

Edited by Wiper2007, 15 March 2010 - 09:56 PM.

Back to top

#20 Cris D.

Loves Etomite Forums!

Developers
1,104 posts

Gender:Male

Posted 16 March 2010 - 08:18 AM

Wiper2007, on 15 March 2010 - 09:53 PM, said:

Hi Chris

Hmmm.. I have now completed step 1 and 2 from my home computer sending a mail to my computer at work ...

So I'll try to confirm the email link from my computer at work like a "normal" user that's trying to register...

Let us know how you go...

Back to top

#21 Wiper2007

Etomite Forum Fan

Member
76 posts

Posted 16 March 2010 - 12:30 PM

Didn't work...

still getting the error....

any suggestions ?

Cris D., on 16 March 2010 - 08:18 AM, said:

Let us know how you go...

Back to top

#22 Cris D.

Loves Etomite Forums!

Developers
1,104 posts

Gender:Male

Posted 16 March 2010 - 09:37 PM

Wiper2007, on 16 March 2010 - 12:30 PM, said:

Didn't work...

still getting the error....

any suggestions ?

1) Make sure you are using the latest version of this snippet, I posted one that did not validat the hash correctly. Make sure that the membership_validator snippet has these lines:

$hash=$_GET['hash'];
//stop hacking attempts
if(!preg_match('#^[a-f0-9]{32}$#i', $hash)) 
return $messages['error1'];

not this:

if(is_numeric($_GET['hash'])){
$hash=$_GET['hash'];
}else{ 
//someone is trying to inject GET values into the browser
return $messages['error1'];}

which is totaly wrong for an MD5 hash (beig letters and numbers).

ie make sure you are gettting the snippet from the "Download File"button, NOT the list of archive files listed below on the downoad page.

Back to top

#23 Wiper2007

Etomite Forum Fan

Member
76 posts

Posted 17 March 2010 - 10:20 PM

Hi Chris

I've downloaded it by clicking the download button...

I've the:

$hash=$_GET['hash'];
//stop hacking attempts
if(!preg_match('#^[a-f0-9]{32}$#i', $hash)) 
return $messages['error1'];

in the membership_verifier snippet - and not in the membership_validator... are this correct?

Cris D., on 16 March 2010 - 09:37 PM, said:

1) Make sure you are using the latest version of this snippet, I posted one that did not validat the hash correctly. Make sure that the membership_validator snippet has these lines:

$hash=$_GET['hash'];
//stop hacking attempts
if(!preg_match('#^[a-f0-9]{32}$#i', $hash)) 
return $messages['error1'];

not this:

if(is_numeric($_GET['hash'])){
$hash=$_GET['hash'];
}else{ 
//someone is trying to inject GET values into the browser
return $messages['error1'];}

which is totaly wrong for an MD5 hash (beig letters and numbers).

ie make sure you are gettting the snippet from the "Download File"button, NOT the list of archive files listed below on the downoad page.