Welcome to Geeklog, Anonymous Friday, December 27 2024 @ 02:25 am EST
Geeklog Forums
CUSTOM registration and the usercheck function
earnest
Anonymous
Running Geeklog 1.4.1
My custom registration works well at user registration.
But the user is able to go into his Account Settings AFTER registration, remove all the custom fields he entered, then resave his account. Geeklog doesn't go through the usercheck routine to make sure the data is there.
Is there aNyone willing to help?
I see the problem.
In usersettings.php (the script that lets a user edit his account) there is this:
{
...
// Call custom registration save function if enabled and exists
if ($_CONF['custom_registration'] AND (function_exists('CUSTOM_userSave'))) {
CUSTOM_userSave($_USER['uid']);
}
...
}
It is calling CUSTOM_usersave.
Well, in my lib-custom.php, the CUSTOM_userSave function looks something like this:
function CUSTOM_usersave($uid)
{
global $_TABLES;
$firstname = COM_applyFilter($_POST['cust_firstname']);
$lastname = COM_applyFilter($_POST['cust_lastname']);
$phone = COM_applyFilter($_POST['cust_phone']);
etc., etc.,
DB_query("UPDATE {$_TABLES['usersextended']} SET firstname='$firstname' WHERE uid='$uid'");
DB_query("UPDATE {$_TABLES['usersextended']} SET lastname='$lastname' WHERE uid='$uid'");
DB_query("UPDATE {$_TABLES['usersextended']} SET phone='$phone' WHERE uid='$uid'");
}
So we can see that we never check the use contents before saving.
The reason it all works at registration is that users.php calls CUSTOM_usercheck to make sure the data is valid.
My CUSTOM_usercheck look something like this:
* Check if it's okay to create a new user.
*
* Geeklog is about to create a new user with the given username and email
* address. This is the custom code's last chance to prevent that,
* e.g. to check if all required data has been entered.
*
* @param string $username username that Geeklog would use for the new user
* @param string $email email address of that user
* @return string an error message or an empty string for "OK"
*
*/
function CUSTOM_usercheck ($username, $email) {
$msg = '';
// Check fields and complain if missing
if (empty($_POST['cust_phone'])) {
$msg = 'Please enter your home phone!';
}
if (empty($_POST['cust_lastname'])) {
$msg = 'Please enter your last name!';
}
if (empty($_POST['cust_firstname'])) {
$msg = 'Please enter your first name!';
}
return $msg;
}
OBVIOUSLY I AM MISSING SOMETHING? ANYONE KNOW WHAT IT IS?
Text Formatted Code
function saveuser($A){
...
// Call custom registration save function if enabled and exists
if ($_CONF['custom_registration'] AND (function_exists('CUSTOM_userSave'))) {
CUSTOM_userSave($_USER['uid']);
}
...
}
Text Formatted Code
function CUSTOM_usersave($uid)
{
global $_TABLES;
$firstname = COM_applyFilter($_POST['cust_firstname']);
$lastname = COM_applyFilter($_POST['cust_lastname']);
$phone = COM_applyFilter($_POST['cust_phone']);
etc., etc.,
DB_query("UPDATE {$_TABLES['usersextended']} SET firstname='$firstname' WHERE uid='$uid'");
DB_query("UPDATE {$_TABLES['usersextended']} SET lastname='$lastname' WHERE uid='$uid'");
DB_query("UPDATE {$_TABLES['usersextended']} SET phone='$phone' WHERE uid='$uid'");
}
Text Formatted Code
/*** Check if it's okay to create a new user.
*
* Geeklog is about to create a new user with the given username and email
* address. This is the custom code's last chance to prevent that,
* e.g. to check if all required data has been entered.
*
* @param string $username username that Geeklog would use for the new user
* @param string $email email address of that user
* @return string an error message or an empty string for "OK"
*
*/
function CUSTOM_usercheck ($username, $email) {
$msg = '';
// Check fields and complain if missing
if (empty($_POST['cust_phone'])) {
$msg = 'Please enter your home phone!';
}
if (empty($_POST['cust_lastname'])) {
$msg = 'Please enter your last name!';
}
if (empty($_POST['cust_firstname'])) {
$msg = 'Please enter your first name!';
}
return $msg;
}
11
13
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
Quote by: earnest
No, you aren't missing anything. Geeklog is.OBVIOUSLY I AM MISSING SOMETHING? ANYONE KNOW WHAT IT IS?
Try adding this to usersettings.php in the saveform() function. Search for the comment
// a quick spam check with the unfiltered field contents
and insert this before it. It might work, I haven't checked.
Text Formatted Code
if ($_CONF['custom_registration'] && function_exists('CUSTOM_userCheck')) {$msg = CUSTOM_userCheck($username, $email);
if (!empty($msg)) {
// no, it's not okay with the custom userform
return COM_refresh($_CONF['site_url']
. '/usersettings.php?mode=edit&msg=$msg');
}
}
// a quick spam check with the unfiltered field contents
12
13
Quote
earnest
Anonymous
Thanks a lot for your reply.
I actually tried this exact code and in exactly the place you described. The $msg from CUSTOM_usercheck does not display because the COM_refresh line expects a message number. CUSTOM_usercheck sends the message itself in $msg.
Otherwise, this code works, and I can tell it works by inserting an echo of the $msg variable - like this:
$msg = CUSTOM_userCheck($username, $email);
if (!empty($msg)) {
echo $msg;
return COM_refresh($_CONF['site_url']
. '/usersettings.php?mode=edit&msg=$msg');
}
}
I was hoping that the problem was with me, and that I would not have to alter the original code. Thanks very much for your help!
I actually tried this exact code and in exactly the place you described. The $msg from CUSTOM_usercheck does not display because the COM_refresh line expects a message number. CUSTOM_usercheck sends the message itself in $msg.
Otherwise, this code works, and I can tell it works by inserting an echo of the $msg variable - like this:
Text Formatted Code
if ($_CONF['custom_registration'] && function_exists('CUSTOM_userCheck')) {$msg = CUSTOM_userCheck($username, $email);
if (!empty($msg)) {
echo $msg;
return COM_refresh($_CONF['site_url']
. '/usersettings.php?mode=edit&msg=$msg');
}
}
I was hoping that the problem was with me, and that I would not have to alter the original code. Thanks very much for your help!
10
17
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
Well, hopefully one of the Devs will come along and make a fix to the core code. This is a quick hack.
Replace the "COM_refresh" with:
$MESSAGE[9999] = $msg;
$display .= COM_siteHeader('menu', $LANG04[16]);
$display .= COM_showMessage(9999);
$display .= edituser();
$display .= COM_siteFooter();
echo $display;
exit;
Replace the "COM_refresh" with:
Text Formatted Code
global $MESSAGE;$MESSAGE[9999] = $msg;
$display .= COM_siteHeader('menu', $LANG04[16]);
$display .= COM_showMessage(9999);
$display .= edituser();
$display .= COM_siteFooter();
echo $display;
exit;
14
9
Quote
earnest
Anonymous
ah. I didn't know I could use 9999 as a generic code for all the messages. That is a nice and simple hack. Much better than what I did (which, though it worked, I won't mention further because it is too embarrassing 
).
Thanks much!
-E
).Thanks much!
-E
14
10
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
It's just a number. It only works because we did not refresh.
10
15
Quote
Status: offline
Blaine
Forum User
Moderator
Registered: 07/16/02
Posts: 1232
Location:Canada
Quote by: jmucchiello
Well, hopefully one of the Devs will come along and make a fix to the core code.
What is there to modify ? as this is the way it's supposed to work. Just define $MESSAGE[xx] in your lib-custom.php file at the top as a global and pass back xx as the integer reference to the error message.
Geeklog components by PortalParts -- www.portalparts.com
15
11
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
Quote by: Blaine
What is there to modify ?.
Blaine, read the first post. Usersettings.php doesn't call CUSTOM_usercheck when modifying the profile data. So "required" fields on login can be erased by going to your profile after you log in. That is the core change I'm hoping for.Quote by: jmucchiello
Well, hopefully one of the Devs will come along and make a fix to the core code.
What is there to modify ?.
Also, CUSTOM_usercheck returns a string as an error. How does this get maintained after COM_refresh? It can't be. Thus, the second mod. CUSTOM_usercheck should have allow the return of message codes but it wasn't designed that way. The caller of CUSTOM_usercheck could check if the return is numeric and do a COM_refresh with msg=returnvalue but that's not how it works at the moment.
14
15
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
Quote by: luizcruz
This thread is about a bug in custom registration.Hello,
sorry, not understand.
Thanks
Luiz
Try this thread for an example of custom registration.
12
17
Quote
All times are EST. The time is now 02:25 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content