[PHP] Stopping ' from being used in name.

Sync · Dec 5, 2016

I dont know alot of PHP so I need some simple help fixing this problem with creating characters on the website with a ' in the name. It affects my onLook creaturescript.

This is the line of accountmanagement.php im trying to edit to block it.

PHP:

function checkName()
{
        if(document.getElementById("newcharname").value=="")
        {
            document.getElementById("name_check").innerHTML = \'<b><font color="red">Please enter new character name.</font></b>\';
            return;
        }
        nameHttp=GetXmlHttpObject();
        if (nameHttp==null)
        {
            return;
        }
        var newcharname = document.getElementById("newcharname").value;
        var url="?subtopic=ajax_check_name&name=" + newcharname + "&uid="+Math.random();
        nameHttp.onreadystatechange=NameStateChanged;
        nameHttp.open("GET",url,true);
        nameHttp.send(null);
}

My friend suggested trying,

PHP:

if(strpos("'", newcharname)==true)

+

PHP:

$searchstring= "'";
if(strpos($searchstring, $newcharname)==true)

+

PHP:

if(ctype_alpha(newcharname)==false)

But none seem to work, Any help will be greatly appreciated. Thanks

Danger II · Dec 5, 2016

I think you are trying to edit the wrong part - if you use gesior I can tell you for 100% it is the wrong part

J.Dre · Dec 5, 2016

The simplest way is probably to just block the keypress event entirely with something like this:

http://pastebin.com/GuhdRqH4

Good to see you're still around, Sync. Good luck!

Jano · Dec 5, 2016

J.Dre said:
The simplest way is probably to just block the keypress event entirely with something like this:

http://pastebin.com/GuhdRqH4

Good to see you're still around, Sync. Good luck!

Never a good idea to rely on client side validation only, what if the person on the other side uses tamper data or similar addons, then you skip the whole client side validation.

Danger II · Dec 5, 2016

Above this line:
https://github.com/gesior/Gesior2012/blob/TFS-0.4_rev_3703+/pages/accountmanagement.php#L713

Add:

Code:

if (strpos($newchar_name, "'") !== false)
$newchar_errors[] = 'Please enter a valid character name';

Didnt try cause im on mobile but let me know if it works

Sync · Dec 5, 2016

Danger II said:
Above this line:
https://github.com/gesior/Gesior2012/blob/TFS-0.4_rev_3703+/pages/accountmanagement.php#L713

Add:

Code:

if(strpos("'", $newchar_name)==true) $newchar_errors[] = 'Please enter a valid character name';

Didnt try cause im on mobile but let me know if it works

Tried that Danger II, Still doesn't block players from creating with the '

J.Dre · Dec 5, 2016

Jano said:
Never a good idea to rely on client side validation only, what if the person on the other side uses tamper data or similar addons, then you skip the whole client side validation.

Hmm, good point. I suppose that may be possible. Then again, it's the simplest way to accomplish this, that I could think of offhand.

Perhaps using 'preg_match' is better? http://pastebin.com/CUpDV4Pr

Sync · Dec 5, 2016

I fixed it.
Thanks for your help guys.

Danger II · Dec 5, 2016

Sync said:
Tried that Danger II, Still doesn't block players from creating with the '

I was wrong with strpos, first var then string, try again please (updated above)
Let me know right after, mobil sucks rly hard

Just tested, should work fine

Znote · Dec 5, 2016

I prefer to use whitelist validation, like this sample from Znote AAC:

PHP:

if (!preg_match("/^[a-zA-Z_ ]+$/", $_POST['name'])) {
    $errors[] = 'Your name may only contain a-z, A-Z and spaces.';
}

[PHP] Stopping ' from being used in name.

Sync

Ø,ø

Danger II

tibiara.com

J.Dre

Unity Games

Jano

oturhaN

Danger II

tibiara.com

Sync

Ø,ø

J.Dre

Unity Games

Sync

Ø,ø

Danger II

tibiara.com

Znote

<?php echo $title; ?>