white spaces at end of username at login

Archives Bug Discussions
1

Hi, today I just encountered a strange behavior in the default login system (with db).

You can login using the username plus an indefinite number of whitespaces at the end and the action succeeds.

The username in the web app is now username + whitespaces.

It is also possible to have a login with white spaces at the end and login omitting them.

Is this behavior normal or wished?

Of course it’s possible to validate the input, but it’s kind of unexpected behavior…

2

What do you mean by "the default login system (with db)" ?

Neither the framework nor the application generated by yiic webapp command implements an actual database-based authentication - it’s your responsibility.

Can you post your code (UserIdentity class, User model) ?

3

PHP trim() is probably at work here – I run all my usernames through it.

4

ok, it’s true that I took the example from the manual page, but there is anyway a problem in my opinion, here my code for the authenticate method:




UserIdentity class

...

public function authenticate()

    {

        //echo "-$this->username-";exit;

        $record=User::model()->findByAttributes(array('username'=>$this->username));

        if($record===null)

            $this->errorCode=self::ERROR_USERNAME_INVALID;

        else if($record->password!==md5($this->password))

            $this->errorCode=self::ERROR_PASSWORD_INVALID;

        else

        {

            $this->_id=$record->id;

            $this->errorCode=self::ERROR_NONE;

        }

        return !$this->errorCode;

    }

...


LoginForm class

...

	public function login()

	{

		if($this->_identity===null)

		{

			$this->_identity=new UserIdentity($this->username,$this->password);

			$this->_identity->authenticate();

		}

		if($this->_identity->errorCode===UserIdentity::ERROR_NONE)

		{

			$duration=$this->rememberMe ? 3600*24 : 3600; // 1 days if remembered, 1 hour otherwise

			Yii::app()->user->login($this->_identity,$duration);

			return true;

		}

		else

			return false;

	}


...

nothing orginal here. the echo line is there if you want to see the passed username.

well I can enter "username" or "username ", and I can still login.

As suggested above, is it possible that findByAttributes trims the value at a certain point? (I do not override the method in my user class). The consequence is that the user for the session can be "username " if it’s not trimmed.

I’m not sure if this is correlated, but logging in in this forum with "username " is allowed.