Done, changed owner. On 05/01/12 19:10, Luis Alejandro Martínez Faneyth wrote: > After i correct all this issues, should i fill in another ITP? > > On 17/12/11 18:24, Roberto C. Sánchez wrote: >> On Sat, Dec 17, 2011 at 06:08:35PM -0430, Luis Alejandro Martínez Faneyth >> wrote: >>> On 17/12/11 16:19, Sune Vuorela wrote: >>>> >>>> $sel_q = "SELECT * FROM NewUser" >>>> . " WHERE mail='" . $mail . "'" >>>> . " AND uid='" . $uid . "'" >>>> . " AND token='" . $token . "'" >>>> . " ORDER BY token DESC LIMIT 0,1"; >>> >>> Thanks for having a look :) >>> >>> Well, i perform a very strict validation before that query is made. >>> Lines 20 - 54: >>> >>> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#20 >>> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#54 >>> >>> You are still scared? >>> >> I would be. Bind variables exist for a reason. Aside from that, your >> validation of email addresses is wrong: >> >> // Invalid e-mail >> } elseif (preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $mail) >> == 0) { >> >> First off, there is nothing in the RFC that says that the email address >> must start with a letter, which your regex requires. In addition to >> that, you do not allow other allowed special characters: >> >> !#$%&'*/=?^_`{|}~"(),:;<>@[\] >> >> You also don't properly check for consecutive dots, so I could pass the >> email a....@foo.com and it pass your check, and still be wrong. >> >> What you have done is reinvent the wheel, and badly at that. >> >> If it were up to me, I would reject this package based on that one line >> of code alone. >>> >>> CODE IS POETRY >>> >> I find it terribly ironic that you have that satement in your email >> signature. >> >> Regards, >> >> -Roberto >> >
-- Luis Alejandro Martínez Faneyth Blog: http://www.huntingbears.com.ve/ Twitter/Identi.ca: @LuisAlejandro ED51 8FE7 4107 715D 0464 8366 F614 5A95 E78D AA2E CODE IS POETRY
signature.asc
Description: OpenPGP digital signature
