HCS forums and tracker closing... by hcs at 1:38 AM EDT on August 26, 2011
....just kidding.... HCS, might you bother "fixing" this potential issue, despite no one "exploiting" it in the 6 or so years this forum has been running?
Of course, this will make user names like mine (containing spaces) a thing of the past & would require underscores instead.
EDIT: Alright. I'm not sure if this will work, but here's my edit. I hope it can be implemented properly, hcs (I'm talking to the real hcs, not the impostor).
In the account registration form (starting from line 412 of the forum source, provided on this site):
} else if (isset($_GET[adduser2])) { // **** Add a user to the database
pageheader();
// check if user already exists $query = mysqli_prepare($dbh,"SELECT idx FROM users WHERE uname = ?"); mysqli_stmt_bind_param($query,'s',$_POST[uname]); mysqli_stmt_execute($query) or die (mysql_error($dbh)); mysqli_stmt_store_result($query); $results = mysqli_stmt_num_rows($query); mysqli_stmt_close($query);
} else if (isset($_GET[adduser2])) { // **** Add a user to the database
pageheader();
// check if user already exists $uname = trim($regname); $query = mysqli_prepare($dbh,"SELECT idx FROM users WHERE uname = ?"); mysqli_stmt_bind_param($query,'s',$_POST[uname]); mysqli_stmt_execute($query) or die (mysql_error($dbh)); mysqli_stmt_store_result($query); $results = mysqli_stmt_num_rows($query); mysqli_stmt_close($query);
The edit should take the user's provided name, pass it to the variable "regname" & trim all breaking/non-breaking spaces from the beginning & end of the string. The result is then passed to the "uname" variable before being compared to any existing user in the database. This, at least, is how it's intended to work. I'll test it soon & report back (unless someone else will).
It should work fine with your name, trim only removes leading and trailing spaces. There's nothing to prevent people from using invisible unicode, though. It really doesn't bother me.