Added control over userID definition to prevent an invalid userID:

[paulocmguerreiro]

Added control over userID definition to prevent the userID: … -cannot be null -cannot be empty -Length should be between User::$minUserIDNChars and User::$maxUserIDNChars -Only Letters and numbers allowed

Throws an UserIDInvalid exception otherwise

[abiusx]

If by userID u mean username, its a valid check, and its a good idea to have a regex do all that work. -A

---

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Oct 22, 2013, at 6:29 PM, Paulo Guerreiro notifications@github.com wrote:

Added control over userID definition to prevent the userID: … -cannot be null -cannot be empty -Length should be between User::$minUserIDNChars and User::$maxUserIDNChars -Only Letters and numbers allowed

Throws an UserIDInvalid exception otherwise

You can merge this Pull Request by running

git pull https://github.com/paulocmguerreiro/phpsec master Or view, comment on, or merge it at:

https://github.com/OWASP/phpsec/pull/73

Commit Summary

Added control over userID definition to prevent the userID: File Changes

M libs/auth/user.php (33) M libs/auth/usermanagement.php (1) M test/libs/auth/UserTest.php (35) Patch Links:

https://github.com/OWASP/phpsec/pull/73.patch https://github.com/OWASP/phpsec/pull/73.diff

[paulocmguerreiro]

thx, this issue credit goes to Rahul, he had it reported in his project.

[rash805115]

Hey Paulo, as Minhaz pointed out, these things are also allowable in userID: (underscore) (dot) (@) basically an emailID can be a userID. So, anything that is allowed in emails, can be present in userID. So you need to modift your code and make a pull request both in phpsec as well as rnj