Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#385 2014-01-21 19:46:45

admi
Member
From: BY
Registered: 2007-12-10
Posts: 145
Website

Re: mem_self_register

jeroenvg wrote #229557:

this is missing from mem_form 0.6/ mem_self_register 0.9.1, but available in mem_form 0.7/ mem_self_register 0.9.3, though not working on my install.

i mailed Manfre a fix. resolved (sorry for the noise).

Can anybody direct me as for using admin_bcc and mem_self_new_user_priv for I could not find any clear instructions on how to use the tags? I use this code and needless to say it does not send email to admin nor confers privs on a newly registered user.

<txp:mem_self_register_form from="mail@gmail.com" subject="[MySite] Hello!" thanks_form="THANX" admin_bcc="1"  new_user_priv="4" />

or do I have to edit the php code itself?

$mem_self = array(
				'admin_email'		=>	'',
				'admin_name'		=>	'',
				'admin_bcc'			=>	'0',
				'new_user_priv'		=>	'0',
				'status'			=>	false,
				'status_message'	=>	'You are already registered.',
				'email_message'		=>	''

Offline

#386 2017-01-24 07:57:06

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,529
Website GitHub Twitter

Re: mem_self_register

Hi

is it normal that when you register a user using mem_self_register you can use a name as

"><script src=//something></script>

and have the user createsd without escaping it in mem_self_register ? I thinked that all mem_ input field are htmlspecialchar on them!

Offline

#387 2017-05-16 11:10:21

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,529
Website GitHub Twitter

Re: mem_self_register

Hi

I wonder if someone experienced this strange behaviour : someone registred an account using mem_self_register without any email!! (on txp 4.5.7)

I dont know how that can happen!

if someone has any clue ?

Offline

#388 2017-05-16 13:54:45

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: mem_self_register

Admittedly, I never used the plugin but this sounds serious. Do the server logs reveal any clues?


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#389 2017-05-17 07:26:12

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,529
Website GitHub Twitter

Re: mem_self_register

Hi Yianis

What bugs me is how an empty email can be registered in mysql because it s set as not NULL in txp_users! there s not a security problem here because with an empty email there is no possibilty to receive the password!

Offline

#390 2017-05-17 18:07:15

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: mem_self_register

Dragondz wrote #305724:

Hi Yianis

What bugs me is how an empty email can be registered in mysql because it s set as not NULL in txp_users! there s not a security problem here because with an empty email there is no possibilty to receive the password!

You are absolutely right… Unless they managed to bypass pw authentication…. Yet again you are right!!!!

>Edited to add: Did you try to replicate that behaviour? ie Did you try registering yourself without an email.

Last edited by colak (2017-05-17 18:16:42)


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#391 2017-05-18 07:39:45

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,529
Website GitHub Twitter

Re: mem_self_register

Hi Yianis

Yes i can replicate it! very strange! the change is that instead of using mem_form_email i used mem_form_hidden but i enforced it by using required=“1”, but even with that i see that an sql statement like that works on DB :

INSERT INTO `txp_users` (name,pass,RealName,email,privs) VALUES('test','test','Test','','5')

Offline

#392 2017-05-18 10:53:38

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: mem_self_register

Dragondz wrote #305727:

i see that an sql statement like that works on DB :INSERT INTO `txp_users` (name,pass,RealName,email,privs) VALUES

We’ve never enforced email address in core, as far as I’m aware. It can’t be NULL, but defaults to '' (empty string) if none is supplied. So if mem_self_reg isn’t passing one in, core won’t trap it. It’s up to the plugin or your business logic to enforce it.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#393 2017-05-20 08:57:46

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,529
Website GitHub Twitter

Re: mem_self_register

Thanks for clarification Stef.

The problem happen because i use mem_form_hidden that i think is not checking required attribute, if i use mem_form_email it checks if there is a valid email inserted.

Cheers.

Offline

Board footer

Powered by FluxBB