Possible to register and login simultaneously

[Can]

Oh I could've edited my first post instead of a new one :/

Thanks for mentioning this Macrura. I know it can be more secure because more people can improve the code, but I really like to go my own way where possible.

[hollyvalero]

On 2/15/2013 at 9:01 AM, ryan said:

Just wanted to reiterate what Wanze said about this:

<input type='text' name='first_name' value='{$input->post->first_name}'>

This is a major security hole. For example, try submitting this in the first_name field:

'><script>alert('Gotcha!');</script>

...and if you can do that, you can do some pretty bad stuff.

Definitely entity encode user submitted input that gets output again. Wanze's example:

$v = $sanitizer->entities($input->post->first_name);
echo "<input type='text' name='first_name' value='$v'>";

If you are running an older version of PW that doesn't have the $sanitizer->entities() method (a fairly recent addition) then do this:

$v = htmlentities($input->post->first_name, ENT_QUOTES, 'UTF-8'); 

 

I'm don't know how to implement this. Does every input field in the form need to be replace with a $variable . So the username field:

                    <label class='label' for='username'>Username</label>
                     <p class='control'>
                     <span class='help is-info'>Please ensure your username contains <b>no spaces</b>. </span>
                     <input type='text' class='input' name='username' value='{$v}'>
                     </p>
 

Does the entities string go before or after the form entry above?  Do I batch all the sanitizer entries first?                   

      $v = $sanitizer->entities($input->post->first_name);


Further down I am creating a user. Does this:

      $u->name = $sanitizer->username($input->post->username);

Need to be changed to:

      $u->name = $sanitizer->username($v);

If I can figure out the order for one field, I can apply it to all of them.
 

 

 

 

Edited March 29, 2017 by hollyvalero
trying to be more clear?