mem_self_register

admi · 2014-01-21 19:46:45

jeroenvg wrote #229557:

this is missing from mem_form 0.6/ mem_self_register 0.9.1, but available in mem_form 0.7/ mem_self_register 0.9.3, though not working on my install.

i mailed Manfre a fix. resolved (sorry for the noise).

Can anybody direct me as for using admin_bcc and mem_self_new_user_priv for I could not find any clear instructions on how to use the tags? I use this code and needless to say it does not send email to admin nor confers privs on a newly registered user.

<txp:mem_self_register_form from="mail@gmail.com" subject="[MySite] Hello!" thanks_form="THANX" admin_bcc="1"  new_user_priv="4" />

or do I have to edit the php code itself?

$mem_self = array(
				'admin_email'		=>	'',
				'admin_name'		=>	'',
				'admin_bcc'			=>	'0',
				'new_user_priv'		=>	'0',
				'status'			=>	false,
				'status_message'	=>	'You are already registered.',
				'email_message'		=>	''

Dragondz · 2017-01-24 07:57:06

Hi

is it normal that when you register a user using mem_self_register you can use a name as

"><script src=//something></script>

and have the user createsd without escaping it in mem_self_register ? I thinked that all mem_ input field are htmlspecialchar on them!

Dragondz · 2017-05-16 11:10:21

Hi

I wonder if someone experienced this strange behaviour : someone registred an account using mem_self_register without any email!! (on txp 4.5.7)

I dont know how that can happen!

if someone has any clue ?

colak · 2017-05-16 13:54:45

Admittedly, I never used the plugin but this sounds serious. Do the server logs reveal any clues?

Dragondz · 2017-05-17 07:26:12

Hi Yianis

What bugs me is how an empty email can be registered in mysql because it s set as not NULL in txp_users! there s not a security problem here because with an empty email there is no possibilty to receive the password!

colak · 2017-05-17 18:07:15

Dragondz wrote #305724:

Hi Yianis

What bugs me is how an empty email can be registered in mysql because it s set as not NULL in txp_users! there s not a security problem here because with an empty email there is no possibilty to receive the password!

You are absolutely right… Unless they managed to bypass pw authentication…. Yet again you are right!!!!

>Edited to add: Did you try to replicate that behaviour? ie Did you try registering yourself without an email.

Last edited by colak (2017-05-17 18:16:42)

Dragondz · 2017-05-18 07:39:45

Hi Yianis

Yes i can replicate it! very strange! the change is that instead of using mem_form_email i used mem_form_hidden but i enforced it by using required=“1”, but even with that i see that an sql statement like that works on DB :

INSERT INTO `txp_users` (name,pass,RealName,email,privs) VALUES('test','test','Test','','5')

Bloke · 2017-05-18 10:53:38

Dragondz wrote #305727:

i see that an sql statement like that works on DB :INSERT INTO `txp_users` (name,pass,RealName,email,privs) VALUES

We’ve never enforced email address in core, as far as I’m aware. It can’t be NULL, but defaults to '' (empty string) if none is supplied. So if mem_self_reg isn’t passing one in, core won’t trap it. It’s up to the plugin or your business logic to enforce it.

Dragondz · 2017-05-20 08:57:46

Thanks for clarification Stef.

The problem happen because i use mem_form_hidden that i think is not checking required attribute, if i use mem_form_email it checks if there is a valid email inserted.

Cheers.

Textpattern CMS

Textpattern CMS support forum

#385 2014-01-21 19:46:45

Re: mem_self_register

jeroenvg wrote #229557:

#386 2017-01-24 07:57:06

Re: mem_self_register

#387 2017-05-16 11:10:21

Re: mem_self_register

#388 2017-05-16 13:54:45

Re: mem_self_register

#389 2017-05-17 07:26:12

Re: mem_self_register

#390 2017-05-17 18:07:15

Re: mem_self_register

Dragondz wrote #305724:

#391 2017-05-18 07:39:45

Re: mem_self_register

#392 2017-05-18 10:53:38

Re: mem_self_register

Dragondz wrote #305727:

#393 2017-05-20 08:57:46

Re: mem_self_register

Board footer