| Author |
 Topic Search  Topic Options
|
djlurchg 
Groupie
Joined: 31 March 2006
Status: Offline
Points: 40
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: Username: 15 Characters?
Posted: 10 April 2006 at 5:12am |
|
I migrated from 6 to 7 to 8 tonight. I am not happy with the upgrade. All usernames were truncated to 15 letters. Not happy about this. I need to go through an no manually update everyone's username. :(
|
 |
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 April 2006 at 11:22am |
|
The 15 limit username has always been implemented as far as I remember, or at least since version 7 was released 3 years ago.
Sorry my memory doesn't really stretch further back than that to remember who things were handled in version 6, but a full re-write was done in version 7 to add more security, including limiting and filtering user input to prevent SQL injections.
|
|
djlurchg
Groupie
Joined: 31 March 2006
Status: Offline
Points: 40
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 April 2006 at 5:05pm |
|
If the input is properly verified, there won't be a probelm with SQL injections. In fact, the most effective SQL injection is ' or ''=' which is far less than 15 characters. One of the many reasons I put off upgrading from 6 to 7 was this concatenation. Support issues are requiring the unfortunate migration.
The only place that would require checks for SQL injection are the initial signup. Possibly the admin, but anyone with admin rights can already do plenty of damage. All you need to do is do a check for letters, letters, and a few acceptable other characters when a new user signs up.
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 April 2006 at 5:10pm |
|
Many months have been spent over the last few years on researching security issues to make sure that web wiz forums is secure.
There is allot more to SQL Injections than you may think, also the filters etc. also have to protect against other forms of hacking such as X-SS.
Since web wiz forums has become more popular it is now a target for hackers, so every angle needs to be covered, using every security measure possible.
You'd be amazed the lengths some hackers go to and the ways that they find to get around systems, no mater how secure you think they are.
Edited by -boRg- - 10 April 2006 at 5:13pm
|
|
djlurchg
Groupie
Joined: 31 March 2006
Status: Offline
Points: 40
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 April 2006 at 7:11pm |
|
borg:
I've read quite a few articles about SQL injection. As long as most punctuation is disallowed, I haven't seen any issues.
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.unixwiz.net/techtips/sql-injection.html
You're right, I would be surprised to hear about SQL Injection attacks that don't revolve around a few characters (',",or,=,;). If you make sure usernames don't contain (;,=) and properly prepare for others (',") then there shouldn't be a problem.
If you have any links to SQL Injection attacks using other characters, I'd be VERY interested, as I would need to secure my own applications.
|
|
wistex
Mod Builder Group
Joined: 30 August 2003
Location: United States
Status: Offline
Points: 877
|
Post Options
Thanks(0)
Quote Reply
Posted: 11 April 2006 at 1:12am |
|
Is there a place where we can change the length of the usernames then so we don't get them truncated?
|
|
|
|
