jaytea commented on a Page, Basic Bot framework v0.2  -  Jan 02, 2011

//echo -a $iif(test = !$isalnum,a,b)

when you're running tests such as the above, you must remember to test the converse:

//echo -a $iif(... = !$isalnum,a,b)

which would result in 'a' if that check were equivalent to the !isalnum operator. this has never been the case; that check is simply a use of the '=' operator and compares the left operand with the literal string '!$isalnum'. because of this, a user is still able to supply certain strings as passwords that could be used to exploit your code in the very same manner that you described earlier.

the reason for these exploits is simple: $readini(), by default, fetches the data associated with the given item and evaluates it once. you can prevent this from happening by using the 'n' option in $readini():

if ($readini($+($1,.ini),n,info,password) == $2) {
 Respond  
Are you sure you want to unfollow this person?
Are you sure you want to delete this?
Click "Unsubscribe" to stop receiving notices pertaining to this post.
Click "Subscribe" to resume notices pertaining to this post.