Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Reload this Page Attempting to Limit User Password Length Through PHP Plugins
FAQ Members List Calendar Search Today's Posts Mark Forums Read
  #1  
Old 08-06-2012, 11:23 PM
Mko's Avatar
Mko Mko is offline
 
Join Date: May 2009
Location: East Coast, USA
Posts: 60
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Attempting to Limit User Password Length Through PHP Plugins
Hey all,
I'm trying to make it so user passwords need to be at least 6 to 20 characters long.
PHP Plugins:

register_addmember_process
PHP Code:
echo strlen($_POST['password']);
echo strlen($vbulletin->GPC['password']);

if (strlen($vbulletin->GPC['password']) < 6) {
    $userdata->error('test1');
} else if (strlen($vbulletin->GPC['password']) > 20) {
    $userdata->error('fieldmissing');
profile_updatepassword_start
PHP Code:
echo strlen($_POST['newpassword']);
echo strlen($vbulletin->GPC['newpassword']);

if (strlen($vbulletin->GPC['newpassword']) < 6){
    eval(standard_error("Invalid Password. Your password must be at least 6 characters and no more than 20 characters in length.")); 
} else if (strlen($vbulletin->GPC['newpassword']) > 20) {
    eval(standard_error("12")); 
Now for some reason, every time I execute a plugin, both of the echo statements echo out '0' because supposedly the field I'm calling has no length.

If anyone could help me out and explain what needs to be done to actually obtain the length of the password inputted in the textfield, I'd appreciate it!


Thanks,
Mark
Reply With Quote
  #2  
Old 08-06-2012, 11:33 PM
Simon Lloyd's Avatar
Simon Lloyd Simon Lloyd is offline
 
Join Date: Aug 2008
Location: Manchester
Posts: 3,481
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Wouldn't you check the register template and evaluate password1.value and password2.value?
Reply With Quote
  #3  
Old 08-06-2012, 11:35 PM
Mko's Avatar
Mko Mko is offline
 
Join Date: May 2009
Location: East Coast, USA
Posts: 60
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Simon Lloyd View Post
Wouldn't you check the register template and evaluate password1.value and password2.value?
I want something that's not able to be changed by the user, meaning nothing in HTML/JS.
Reply With Quote
  #4  
Old 08-06-2012, 11:53 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I think your problem is that normally the user's browser hashes the password and clears the plain text password field. You can disable that by defining DISABLE_PASSWORD_CLEARING to 1, such as in your config.php or in a plugin:

Code:
define('DISABLE_PASSWORD_CLEARING', 1);

or if you wanted you might be able to define it only for the registration and profile pages so that you still have that security feature for normal logins.
Reply With Quote
  #5  
Old 08-07-2012, 09:54 AM
Mko's Avatar
Mko Mko is offline
 
Join Date: May 2009
Location: East Coast, USA
Posts: 60
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by kh99 View Post
I think your problem is that normally the user's browser hashes the password and clears the plain text password field. You can disable that by defining DISABLE_PASSWORD_CLEARING to 1, such as in your config.php or in a plugin:

Code:
define('DISABLE_PASSWORD_CLEARING', 1);
or if you wanted you might be able to define it only for the registration and profile pages so that you still have that security feature for normal logins.
Would that lead to potential vulnerabilities and security exploits?
Reply With Quote
  #6  
Old 08-07-2012, 11:47 AM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Mko View Post
Would that lead to potential vulnerabilities and security exploits?
I don't think so. What it does is it keeps the password from being sent "in the clear". But it doesn't even really protect your forum because if someone were somehow monitoring communications between a users' browser and your forum they could just as easily intercept the hashed password and use it to log in. (but they wouldn't know what the original password was, which I think is the point).
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 08:01 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07296 seconds
  • Memory Usage 2,219KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (2)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete