Is dangerous "_" in register?

[Jotade29]

V: 2.0.19

Hello, reviewing a part of the code that I want to modify, I have come across the following in register.php (function to check name)

Code Select Expand

if (preg_match('~[<>&"\'?!\~=\\\]~', preg_replace('~&\'#(?:\\d{1,7}|x[0-9a-fA-F]{1,6});~', '', $context['checked_username'])) != 0 || $context['checked_username'] == '_' || $context['checked_username'] == '|' || strpos($context['checked_username'], '[code') !== false || strpos($context['checked_username'], '[/code') !== false)
$context['valid_username'] = false;
Specifically the part of: $context['checked_username'] == '_'

My question is if it generates any danger/errors to allow the "_" in the nick.

Thnxx

[Doug Heffernan]

My question is if it generates any danger/errors to allow the "_" in the nick.

There is no danger.

[Sesquipedalian]

It's not inherently dangerous, but it's not a good idea either. At the very least, a username like "_" would be annoying for other users to deal with. It is also possible that such a username would cause subtle problems in code that didn't expect it, such as a naively written mod.

[Jotade29]

My question is if it generates any danger/errors to allow the "_" in the nick.

There is no danger.

Thanks for your support, Doug

It's not inherently dangerous, but it's not a good idea either. At the very least, a username like "_" would be annoying for other users to deal with. It is also possible that such a username would cause subtle problems in code that didn't expect it, such as a naively written mod.

What you told me is very interesting! For fear of nicks giving errors, should I make a regex function that only allows letters and numbers for the registeeer?

thnxxxx

[Sesquipedalian]

What you told me is very interesting! For fear of nicks giving errors, should I make a regex function that only allows letters and numbers for the registeeer?

I can't answer that question because I have no idea what you are trying to do.

If this code you are writing is meant to impose requirements on usernames for SMF accounts, I think you should just leave the current code alone and let SMF handle this itself.

[Jotade29]

What you told me is very interesting! For fear of nicks giving errors, should I make a regex function that only allows letters and numbers for the registeeer?

I can't answer that question because I have no idea what you are trying to do.

If this code you are writing is meant to impose requirements on usernames for SMF accounts, I think you should just leave the current code alone and let SMF handle this itself.

Thanks for yur support, mad doctor!!

In this case, or rather, in this version, I think SMF handles it badly, and since the 2.0 branch no longer receives updates if I don't understand correctly, it's my turn to fix it... It has happened to me that a user has registered with a nick with rare characters and it appears without a name, so with a preg_match I want it to prohibit all special characters by creating a regex. I would like to allow the Spanish letters including the eñes, and I don't know if it is a good idea to put hyphens (-). What characters would you advise me to allow in nicks?

Thbxxxx!!

[Sesquipedalian]

It sounds like you are concerned about problems due to certain Unicode characters and the need to prevent them from being used in usernames.

If those are your concerns, then I strongly recommend that you upgrade to SMF 2.1. Correctly sanitizing Unicode characters is a much, much more complex problem than one might initially expect. A great deal of effort went into dealing with this problem for SMF 2.1, and adjusting a simple regular expression in Register.php will not solve it for you.

If you wanted to allow only ASCII characters in usernames, you could do that with simple regular expressions, although you would need to change them in more places than just Register.php. But you want to allow Spanish characters like ñ, which means that you want to allow non-ASCII characters. If you want to do that while preventing people from using invisible formatting characters, etc., you need to do everything we did in SMF 2.1. It's a very big job.

[Diego Andrés]

I'm afraid convincing Jotade to upgrade to SMF 2.1 will require bigger effort than your work sanitizing Unicode characters 

[Sesquipedalian]

Well, that's unfortunate. It really is a better, more robust version.

[Jotade29]

I'm afraid convincing Jotade to upgrade to SMF 2.1 will require bigger effort than your work sanitizing Unicode characters 

I was wondering for a long time, what can you put in your signature? And you give me the answer without asking,     

Kindred, you, and 5 other people i remember always tell me the same thing. I would be delighted to upgrade to 2.1, but as you know it's not that easy, not because of having to see what's new in SMF 2.1.x, but because of adapting the mods and the theme.

I am a student lawyer, ii am not a programmer, and in the last year modifying more than 20 modifications I have spent more than 200 hours of nights. I have learned, in my opinion, a lot of PHP, SQL and css thanks to SMF, cozz ididn't know anything... To give you an idea, i have modified the SMF Quiz and made it to my liking, for example, it had many security gaps with which users without powers could delete them, modify them, and ihave solved it so that the ranks that ii want can do it, i have modified the upload quiz button, so that the review status can also be canceled, so that once the quizzes are approved, they believe me in the forums that i want a post, putting signals so that when disabling it, and re-enabling it, no more topics are created, when someone modifies a quiz, that they explain why... i have created more than 10 new columns in the various tables of the Quiz, among other things... And the design issue has taken me several hours, to get it right... So I had to design several images with Photoshop... And learn css hundreds of properties to put boxes well aligned, control overflows... Leaving aside the modifications, some things have become obsolete in version 2.0.19, which i had to patch myself, such as the email system , that i had to install phpflexmail for it to work for me... Very few resource files have not been modified by me. Bringing all that work to a new version is a really big job, and i don't have that much time, plus many of the developers of the mods I use are no longer there, and they can't give me support...

I take advantage of this message to tell you not to let the Musiconica theme die!!!! it is the one i use, and i have adapted it to numerous mods. By far it seems to me the most beautiful theme of all the ones i've seen from 1.x, 2.0.x, 2.1.x...

As always, ii want to once again thank all of you who support me for helping me. You are awesomessss!!

Well, that's unfortunate. It really is a better, more robust version.

You guys at SMF do a wonderful job, and I'm grateful for that, but as I said above, it's not that easy to migrate from 2.0.x to 2.1.x!!!! with regards to what has been commented, i have solved it in such a way that it does not allow a user to register, if they do not have the characters that I have indicated in my regex, by making the preg_match negative, together with a replace, i have been able to control the characters that i allow, and what i have tested cannot put another class of characters. I know my form will be somewhat simple, but it's efficient, since it does what ii need. i am sure that the improvement that you have made to 2.1.x is very big, but since it is not possible for me to upgrade right now, ii have to find my life as best i can. Again, many thanks to the SMF team for making such a wonderful product!!

[Kindred]

Well, actually,  it IS that easy to migrate to 2.1.x

It's very simple.   Sure, you need to find or develop a new theme... but that's pretty simple.
Mods,  well that's the rub.  In all honesty, the biggest question is - how many if the Mods do you ACTUALLY need?

Most of the main Mods HAVE been ported to 2.1.

[Diego Andrés]

Aside from the MODs, you should definitely try to turn those essential code changes you've made into some form of 'personal MODs' using hooks or even edits if you want. It will save you a lot of time in the long run and you'll be able to test it on a copy of SMF 2.1 because at some point in the future you will inevitable need to upgrade.

[Sesquipedalian]

Rather than putting all that effort into making old mods work with SMF 2.0, why not put that effort into making them work with SMF 2.1?

[Jotade29]

Thnxxk u very much to all 3 for answering!!

Well, actually,  it IS that easy to migrate to 2.1.x

It's very simple.   Sure, you need to find or develop a new theme... but that's pretty simple.
Mods,  well that's the rub.  In all honesty, the biggest question is - how many if the Mods do you ACTUALLY need?

Most of the main Mods HAVE been ported to 2.1.

I missed reading you for my topics, Kindred!! i partially agree with what you say. Although i think it is more difficult than easy, since when you migrate to the new version, you want to preserve everything from the previous one, and not in many cases the mods are updated, and that is mostly what makes it difficult for you to go to a higher version, that's why many people are still using the 2.0 branch, and even 1.x... I use more than 20 mods, each one manually installed by me to debug code, and this is how I learned PHP: SMF Mods; simplemachines.org; stackoverflow, other forums in spanish, and API PHP... Without forgetting the SMF wiki, most days I'm there to review the global variables, which by the way, I think the wiki went down on Monday-Tuesday from SMF :/. The mods that I use are mostly oriented towards Law education topics.

Aside from the MODs, you should definitely try to turn those essential code changes you've made into some form of 'personal MODs' using hooks or even edits if you want. It will save you a lot of time in the long run and you'll be able to test it on a copy of SMF 2.1 because at some point in the future you will inevitable need to upgrade.

You make a good point. The hooks issue, it would be great if the SMF staff made a good guide with some examples on the hooks, to be able to understand them, and to be able to make the mods compatible. I want to learn about hooks but they only gave me a guide with 4 things a long time ago, which did not clear up my doubts.

Rather than putting all that effort into making old mods work with SMF 2.0, why not put that effort into making them work with SMF 2.1?

I don't know what a 2.0 branch mod needs to be compatible with 2.1.x. As i have told Diego Andrés, a guide on your wiki would be great, for example, with examples. iiin addition, the time invested is invested, it would be spending all that time again in the new version, which on the other hand one day ill have to do, but I need knowledge about it!!!

[Kindred]

It's not up to the smf staff to update or review how to make mods compatible... that is on the mod author.
As for manually installing... you do realize that the biggest feature in SMF over other forum systems is our package manager and two click installation of mods?

I installed 256 mods into a 2.0.x site a few years ago - in about 4 hours - using the package manager, so only minimal manual changes where mods overlapped (and not many of those)