MyBB Community Forums

Full Version: Invalid Charitors in usernames
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Migrated from MyPHP 3.0 into MYBB everything worked great other then in my forum users need to use the "<" and ">" character in usernames.

So basically I wanted to know. How I can edit what characters users can have inside there usernames?

Right now when users try to register with the or change usernames to what I require they get an invalid character error. not sure what I need to edit to change this
@Alucardz it shows this error only if username is empty or username contains one of this charactes: < > & \ ; ,

What version of MyBB are you using?
I've installed version 1.8.7 ahhh your right its not the "( )" charters it is actually "< >"! My forum is a game clan forum so we need "< >" charters to complete our tags <(T2K)>. we've had these tags for over ten years now

I will try and edit my post above thanks for the correction.


here is the error that occurs
•The username you entered contains bad characters. Please enter a different username.
I don't know if there will be problems by adding these two charactes. You can do it editing file xmlhttp.php
At line 933 there's this:
if(strpos($username, "<") !== false || strpos($username, ">") !== false || strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || strpos($username, ",") !== false || !validate_utf8_string($username, false, false))

remove this:
strpos($username, "<") !== false || strpos($username, ">") !== false
Thank's so much for the help. I'll edit as soon as I get a chance "out on vacation" and test the result.
(2016-07-08, 10:40 PM)chack1172 Wrote: [ -> ]I don't know if there will be problems by adding these two charactes. You can do it editing file xmlhttp.php
At line 933 there's this:
if(strpos($username, "<") !== false || strpos($username, ">") !== false || strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || strpos($username, ",") !== false || !validate_utf8_string($username, false, false))

remove this:
strpos($username, "<") !== false || strpos($username, ">") !== false

So I did edit this out. but for some reason I'm still getting this error when attempting to use  "<" ">"   (The username you entered contains bad characters. Please enter a different username.) I'm guessing there is something else somewhere?
Tell me the name you are inserting
Sure <(T2K)>Username or in some cases <(TK)>Username  it still seems that something is triggering an error with the "<" ">" charters but i'm just not sure where its coming from. I was testing with <(T2K)>Locked
Had a little time tonight to dig into this further.   Smile found what looks to be the functioning code vs the other code inside of the xmlhttp.php file. It doesn't look to even be used apparently."guessing"

Loaded up the whole forum code inside of my favorite editor and then did a quick search to see where the error was originating from.
 
turns out the code inside of inc/datahandlers/user.php  is identical to other code inside of the then it adds the error that is generated to the end of it. The one that i'm currently seeing  when using a "<" or ">" for a username


Current Code user.php file line 109

// Check for certain characters in username (<, >, &, commas and slashes)
 if(strpos($username, "<") !== false || strpos($username, ">") !== false || strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || strpos($username, ",") !== false || !validate_utf8_string($username, false, false))
{
$this->set_error("bad_characters_username");
return false;
} 

I'll edit the code to this and test some more now then post the result  Cool


// Check for certain characters in username (<, >, &, commas and slashes)
 if(strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || strpos($username, ",") !== false || !validate_utf8_string($username, false, false))
{
$this->set_error("bad_characters_username");
return false;
}

Looks like this does fix my problem Lightbulb .. I'll update if I find it causes other problems or security issues
Note that it's not recommended to allow any HTML entities in usernames, otherwise people may inject HTML in their usernames, which is not blocked in many places before MyBB 1.8.8 (not released yet),
Pages: 1 2