Create account not working in client
|Target version:||Version 0.9.0|
It hangs the client attached is a patch that adds php files that make it work when they are used as the CreateAccountURL.
#1 Updated by Botanic about 1 year ago
- File 1875.patch added
need this patch as well for css and removal of redundant function
#3 Updated by sfb about 1 year ago
- Assignee changed from Botanic to sfb
- Target version set to Version 0.9.0
I'll take this and remove the hard coding.
#4 Updated by nimetu about 1 year ago
1874.patch has possible sql injection in createUser() from $email field.
$email is checked with validEmail() and allows email like ["\'; SQL"@example.com] (this actually should be valid email address)
there should be line [$email=mysql_real_escape_string($email);] just before sql $query is created.
$login is checked with checkUser() to only allow alpha-numeric chars and is safe to use.
... also checkUser() and checkEmail() both return 'success' when the actual field is not set.