mevdschee
Register with additional data
Hi Maurits,
First of all, i would like to thank you for your work and for this great lib. I have a user table, and it contains many coloumns, including name, address, company, etc. After i registered, i can fill the other fields with another request, but can i use the /register endpont somehow to fill these fields (not only the username, password and id) in one request? Or I think wrong, and this isn't the good approach?
Best regards, Adam
Hi Adam, thank you for creating this issue. You touch upon a very good point here. I think you could have a "user" table and a "customer" table (with the customer_id being the multi-tenancy key). It would make sense to insert a new customer when registering a new user. I think the software could facilitate this (better). What would you expect? A handler to return a new customer record? Or something else? Kind regards, Maurits
Sorry for commenting on an old post but I've also encountered this issue. The current code processes only the username and password no matter how many fields are sent during registration. Is this intentional or should we also process other data such as the users' email address, first or last name etc.?
@apps-caraga Are you wiling to do a PR that provides this functionality and mitigates the SQL injection risk?
@apps-caraga Are you wiling to do a PR that provides this functionality and mitigates the SQL injection risk?
@mevdschee Still trying to make the code work to my requirements, but still stuck on how to best sanitize the inputs. Maybe I'll just accept the alphanumeric characters and drop any input that doesn't meet that? (I'm not good at regex tho. 😁 )
A regex that filters non-alpha is:
$clean = preg_replace('/[^a-z0-9]/','',$dirty);
See: https://regexr.com/
NB: I think sanitizing is not the way to prevent injection. Proper escaping will prevent injection.
A regex that filters non-alpha is:
$clean = preg_replace('/[^a-z0-9]/','',$dirty);See: https://regexr.com/
NB: I think sanitizing is not the way to prevent injection. Proper escaping will prevent injection.
Thanks for this @mevdschee . I'm considering regex because as of now, users can register names like <h1>user001</h1> and output looks funny on the users page. So I'm hoping to restrict the usernames to alphanumeric and some other chars like dots or underscores.
As for prevention of sql injection, I'm still tracing the users registration process. For now, I can see it starting from the register endpoint which calls the createSingle() which also calls the getInsert() which prepares the insert statement and returns it to createSingle() where the values are inserted . Just to verify, does any of these performs proper escaping?
Just to verify, does any of these performs proper escaping?
Yes, createSingle() is safe to use.
The idea is, starting at line 8112 of api.php
$data = json_decode($registerUser, true);
$data = is_array($data) ? $data : (array)$body;
//we'll get the original posted data
$userTableColumns = $table->getColumnNames();
//and also the column names of the users table
foreach($data as $key=>$value){
if(in_array($key,$userTableColumns)){
// process only posted data with key that exists as user column
if($key === $usernameColumnName){
// process and set the username and password to their usual procedure
$data[$usernameColumnName] = $username;
}else if($key === $passwordColumnName){
$data[$passwordColumnName] = password_hash($password, PASSWORD_DEFAULT);
}else{
$data[$key] = filter_var($value, FILTER_SANITIZE_ENCODED);
// then sanitize the other posted data
}
}
}
// proceed with the rest of the procedure and let createSingle do its job
$this->db->createSingle($table, $data);
So I got this code working, but I have some issues. I got the following error when I insert a new user with existing email address.
Fatal error: Uncaught PDOException: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry
Based on my needs, the account registration procedure will ask for a unique email address so we need to check if a certain data,e.g. email address or other unique columns are already in the database. Is it possible to simultaneously check this while checking also the unique username? The thing is, for other setup, there may be more than one unique fields aside from the username.