diff -r b25d34fbc7ab -r e0787bb6285b includes/sessions.php --- a/includes/sessions.php Sun Jan 20 22:34:02 2008 -0500 +++ b/includes/sessions.php Mon Jan 21 10:09:48 2008 -0500 @@ -14,7 +14,7 @@ */ // Prepare a string for insertion into a MySQL database -function filter($str) { return $db->escape($str); } +function filter($str) { global $db; return $db->escape($str); } /** * Anything and everything related to security and user management. This includes AES encryption, which is illegal in some countries. @@ -1692,7 +1692,14 @@ // Initialize AES $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); - if(!preg_match('#^'.$this->valid_username.'$#', $username)) return 'The username you chose contains invalid characters.'; + // Since we're recording IP addresses, make sure the user's IP is safe. + $ip =& $_SERVER['REMOTE_ADDR']; + if ( !is_valid_ip($ip) ) + return 'Invalid IP'; + + if ( !preg_match('#^'.$this->valid_username.'$#', $username) ) + return 'The username you chose contains invalid characters.'; + $username = str_replace('_', ' ', $username); $user_orig = $username; $username = $this->prepare_text($username); @@ -1766,13 +1773,13 @@ $actkey = sha1 ( microtime() . mt_rand() ); // We good, create the user - $this->sql('INSERT INTO '.table_prefix.'users ( username, password, email, real_name, theme, style, reg_time, account_active, activation_key, user_level, user_coppa ) VALUES ( \''.$username.'\', \''.$password.'\', \''.$email.'\', \''.$real_name.'\', \''.$template->default_theme.'\', \''.$template->default_style.'\', '.time().', '.$active.', \''.$actkey.'\', '.USER_LEVEL_CHPREF.', ' . $coppa_col . ' );'); + $this->sql('INSERT INTO '.table_prefix.'users ( username, password, email, real_name, theme, style, reg_time, account_active, activation_key, user_level, user_coppa, user_registration_ip ) VALUES ( \''.$username.'\', \''.$password.'\', \''.$email.'\', \''.$real_name.'\', \''.$template->default_theme.'\', \''.$template->default_style.'\', '.time().', '.$active.', \''.$actkey.'\', '.USER_LEVEL_CHPREF.', ' . $coppa_col . ', \'' . $ip . '\' );'); // Get user ID and create users_extra entry $q = $this->sql('SELECT user_id FROM '.table_prefix."users WHERE username='$username';"); if ( $db->numrows() > 0 ) { - $row = $db->fetchrow(); + list($user_id) = $db->fetchrow_num(); $db->free_result(); $user_id =& $row['user_id'];