On 17/12/11 18:24, Roberto C. Sánchez wrote: > On Sat, Dec 17, 2011 at 06:08:35PM -0430, Luis Alejandro Martínez Faneyth > wrote: >> On 17/12/11 16:19, Sune Vuorela wrote: >>> >>> $sel_q = "SELECT * FROM NewUser" >>> . " WHERE mail='" . $mail . "'" >>> . " AND uid='" . $uid . "'" >>> . " AND token='" . $token . "'" >>> . " ORDER BY token DESC LIMIT 0,1"; >> >> Thanks for having a look :) >> >> Well, i perform a very strict validation before that query is made. >> Lines 20 - 54: >> >> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#20 >> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#54 >> >> You are still scared? >> > I would be. Bind variables exist for a reason. Aside from that, your > validation of email addresses is wrong: > > // Invalid e-mail > } elseif (preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $mail) > == 0) { > > First off, there is nothing in the RFC that says that the email address > must start with a letter, which your regex requires. In addition to > that, you do not allow other allowed special characters: > > !#$%&'*/=?^_`{|}~"(),:;<>@[\] > > You also don't properly check for consecutive dots, so I could pass the > email a....@foo.com and it pass your check, and still be wrong.
Thank you, i will correct that inmediately. > > What you have done is reinvent the wheel, and badly at that. I coudn't find any other user friendly interface to manage user accounts from an LDAP. > > If it were up to me, I would reject this package based on that one line > of code alone. >> >> CODE IS POETRY >> > I find it terribly ironic that you have that satement in your email > signature. Don't. It does not states that i'm a poetrician :) > > Regards, > > -Roberto > -- Sin más que agregar y siempre a la orden, Luis Alejandro Martínez Faneyth Ingeniero de Telecomunicaciones Blog: http://www.huntingbears.com.ve/ Twitter: @LuisAlejandro GPG Key = E78DAA2E CODE IS POETRY -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4eed2693.6070...@gmail.com
