1

The problem

I have had a problem with a spammer registering fake users to send spam around.

The method used is to set the user name to something like "Yesterday I published this awesome video http://something.wow/spammer/video which you should come and see!" and the mail address to the spammer's target. One new registration every 5 minutes.

Attempted solutions

First, I tried to enable captcha. No way. Then invisible captcha. Again, no way. Don't ask me why, I have no idea, but the spamming did not stop.

Last, I tried to put a length limit on the username (10 characters would do). After reading the official info on server-side form validation I found that it is not perfectly in sync with the code, so I tried to read the code and I ended up with adding a maxlength="10" attribute to the username field in the registration.xml file. No way. When filling out the form, the browser in fact stops you from adding the eleventh character, but spamming continued. I suppose the spammer used a lower-level method to post the form, so the max length was not enforced.

Questions

  1. Why captcha does not work?
  2. Why the maxlength attribute does not force server-side validation?
  3. Why obvious checks like max user name lenght and sane characters are not the default in Joomla 3.9?
  4. Is it possible to add validation yourself and, do you have a working example?
Improve this question

1 Answer 1

Reset to default
0

I do not have an answer to 1.

As far as 2 and 3 are regarded, I suppose that the Joomla developers assume that these issues are not very important and anyway they are easily solved.

I have a real answer to 4. Here is my solution:

<?php /** * @package Joomla.Site * @subpackage com_users * * @copyright 2022 Francesco Potortì * @license GNU General Public License version 2 or later; see LICENSE.txt */ defined('JPATH_PLATFORM') or die; use Joomla\Registry\Registry; class JFormRuleUserNamePot extends JFormRule { /** * Test for sane usernames. * * Tested under Joomla 3.9 * To use this rule, the form XML (for example components/com_users/models/forms/registration.xml) * needs this: * <fieldset name="form_name" addrulepath="components/com_users/models/rules"> </fieldset> * * and the input (text) field needs this: * validate="usernamepot" (basename of this file, under components/com_users/models/rules/) * maxlength=10 (recommended, but any number > 0 will do) * pcrepattern="/^[0-9a-zA-Z]+$/" (recommended, any PCRE will do) * validatemessage="User name can only contain letters and numbers" (recommended) * * @param SimpleXMLElement $element The SimpleXMLElement object representing the `<field>` tag for the form field object. * @param mixed $value The form field value to validate. * @param string $group The field name group control value. This acts as an array container for the field. * For example if the field has name="foo" and the group value is set to "bar" then the * full field name would end up being "bar[foo]". * @param Registry $input An optional Registry object with the entire data set to validate against the entire form. * @param JForm $form The form object for which the field is being tested. * * @return boolean True if the value is valid, false otherwise. * * @since 3.9 */ public function test(SimpleXMLElement $element, $value, $group = null, Registry $input = null, JForm $form = null) { $maxlen = (int) $element->attributes()->maxlength; $pattern = $element->attributes()->pcrepattern; $errormessage = $element->attributes()->validatemessage; // throw new InvalidArgumentException(sprintf('maxlen=%d, pattern=%s, message=%s', $maxlen, $pattern, $element->attributes()->message)); if (strlen($value) <= $maxlen and preg_match($pattern, $value) === 1) { return true; } $element->attributes()->message = $errormessage; return false; } }
Improve this answer
0

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.