vb.org Archive - Attempting to Limit User Password Length Through PHP Plugins

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)

- - Attempting to Limit User Password Length Through PHP Plugins (https://vborg.vbsupport.ru/showthread.php?t=286398)

Attempting to Limit User Password Length Through PHP Plugins

Hey all,
I'm trying to make it so user passwords need to be at least 6 to 20 characters long.
PHP Plugins:

register_addmember_process

PHP Code:


		
			
echo strlen($_POST['password']);
echo strlen($vbulletin->GPC['password']);

if (strlen($vbulletin->GPC['password']) < 6) {
    $userdata->error('test1');
} else if (strlen($vbulletin->GPC['password']) > 20) {
    $userdata->error('fieldmissing');
}

profile_updatepassword_start

PHP Code:


		
			
echo strlen($_POST['newpassword']);
echo strlen($vbulletin->GPC['newpassword']);

if (strlen($vbulletin->GPC['newpassword']) < 6){
    eval(standard_error("Invalid Password. Your password must be at least 6 characters and no more than 20 characters in length.")); 
} else if (strlen($vbulletin->GPC['newpassword']) > 20) {
    eval(standard_error("12")); 
}

Now for some reason, every time I execute a plugin, both of the echo statements echo out '0' because supposedly the field I'm calling has no length.

If anyone could help me out and explain what needs to be done to actually obtain the length of the password inputted in the textfield, I'd appreciate it!

Thanks,
Mark

Wouldn't you check the register template and evaluate password1.value and password2.value?

Quote:

Originally Posted by Simon Lloyd (Post 2355111)

Wouldn't you check the register template and evaluate password1.value and password2.value?

I want something that's not able to be changed by the user, meaning nothing in HTML/JS.

I think your problem is that normally the user's browser hashes the password and clears the plain text password field. You can disable that by defining DISABLE_PASSWORD_CLEARING to 1, such as in your config.php or in a plugin:

Code:

define('DISABLE_PASSWORD_CLEARING', 1);

or if you wanted you might be able to define it only for the registration and profile pages so that you still have that security feature for normal logins.

Quote:

Originally Posted by kh99 (Post 2355116)

Code:

define('DISABLE_PASSWORD_CLEARING', 1);

or if you wanted you might be able to define it only for the registration and profile pages so that you still have that security feature for normal logins.

Would that lead to potential vulnerabilities and security exploits?

Quote:

Originally Posted by Mko (Post 2355204)

Would that lead to potential vulnerabilities and security exploits?

I don't think so. What it does is it keeps the password from being sent "in the clear". But it doesn't even really protect your forum because if someone were somehow monitoring communications between a users' browser and your forum they could just as easily intercept the hashed password and use it to log in. (but they wouldn't know what the original password was, which I think is the point).

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_code_printable (2)bbcode_php_printable (3)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (6)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01018 seconds Memory Usage 1,734KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_code_printable (2)bbcode_php_printable (3)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (6)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: